Hello Ali,

My I suggest a scheduled job to set locked=true for the appropriate records?

If you update daily, your job could fitler the user table for user records that have a source starting with ldap and an updated date before yesterday.   Run the job daily.

EDIT - FWIW: We added a custom field to the user record named "admin_notes".   If you had a field like this, the record could update the admin notes to note the date/time that the record was locked.   If the user is in any groups or has any special roles, those could be noted in the admin notes and the corresponding relation removed from the user record.   Noting the group membership and roles will facilitate the situation where a user returns and the account needs to be reactivated.