User locking
With LDAP we can only delete users and not lock them in a way that they cannot log in and are invisible for all services.
Locking is useful to fullfill GDPR requests ("Einschränkung der Verarbeitung"). It is also helpful in the process to fully delete a user: We usually cannot delete a user in the SSO, since services may still have loginname-related user data and this would allow new users to register with the same loginname. We can also not first delete the user-related data in all services since the service may recreate the user because the user still exists.