Individual LDAP users log in but get an invalid token

Some months ago I had an LDAP user saying they couldn’t log into our local CE Gitlab. When I impersonated them I got the same behaviour which was a totally blank screen for any gitlab page caused by an invalid token (deleting cookies restores the login screen but logging in gets us a new invalid token).

I nuked the account and they logged in again and hey-presto, issue resolved. Makes me think it’s not something funky on LDAP side.

Now this has happened again to two accounts (mine included).
Does anyone have an explanation for this?
Is there a way to resolve it without nuking the accounts?

100s of users on this instance and only 1 or 2 accounts affected at a time. Happy to provide diagnostic output if required. I have root access to the box gitlab is installed on.

Thanks in advance,