How long does ssh pull work after LDAP account expired?

Using Omnibus Gitlab CE a user could still pull and push code using his ssh key although he wasn’t able to login to gitlab due to an expired LDAP account.

Is this intentionally?
When will he be blocked? And is there any chance to influence this behavior?

I already tried decreasing “Session duration (minutes)” in the settings.

Is it something related to “ldap_sync_worker_cron” in the config file?