This is because group owners have their `:admin_group_member` permission
removed when the group is LDAP synced, thus ending in an early return
at `return member unless can_update_member?(current_user, member)` in
`Member.add_user`, leading to new LDAP users not being created.

This make this change while still being able to approve access requests
during a LDAP sync, `Members::ApproveAccessRequestService` has been
changed (in CE) to accept a `:force` option that bypass permission check
(since the permission is removed for owners of LDAP-synced groups).
This option is thus set to `ldap` in `Member.add_user`.
Signed-off-by: Rémy Coutable <remy@rymai.me>