I think I just solved this. It turns out that the “Username Attribute” field is case sensitive and not at all optional. For Microsoft Active Directory, it has to be sAMAccountName.
Before this, every directory sync, either manual or scheduled, would deactivate the users. Also, the users would only start showing up on the Gitea user list after their first login.
My settings are as follows:
Authentication Type: LDAP (via BindDN)
Authentication Name: AD
Security Protocol: LDAPS
Host: corp.domain.com
Port: 636
Skip TLS Verify: >checked<
Bind DN: CN=LDAP read,OU=Users,OU=Administration,ou=root,DC=corp,DC=domain,DC=com
Bind Password: <encrypted...>
User Search Base: OU=Users,OU=Accounts,ou=root,DC=corp,DC=domain,DC=com
User Filter: (&(objectCategory=Person)(memberOf=CN=Git Users,OU=Roles,OU=Groups,OU=Accounts,ou=root,DC=corp,DC=domain,DC=com)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Admin Filter: (memberOf=CN=Git Admins,OU=Roles,OU=Groups,OU=Accounts,ou=root,DC=corp,DC=domain,DC=com)
Restricted Filter: <blank>
Username Attribute: sAMAccountName
First Name Attribute: givenName
Surname Attribute: sn
Email Attribute: mail
Public SSH Key Attribute: >blank<
Avatar Attribute: >blank<
Verify group membershipt in LDAP: >not checked<
Use Paged Search: >not checked< (might be a good idea for large environments, though)
Fetch Attributes in Bind DN Context: >not checked<
Skip local 2FA: >not checked<
Allow an empty search result to deactivate all users: >not checked<
Enable User Synchronization: >checked<
This Authentication Source is Activated: >checked<
Since I’ve fixed this the behaviour has changed. Not only are external user accounts no longer deactivated at every directory sync, but users that fulfill the criteria of the user filter are populated in the Gitea user directory right away - not only after their first login. So this might help as a hint that you solved it in your environments if the users are populated.
(edit: reformatted for better legibility)