1. Enable LDAP enrolment plugin
2. In LDAP Enrolment plugin, set 'External Unenrol Action' to 'Disable course enrolment and remove roles'
3. Create new course, assign a role to a user in the course in the external LDAP source and run enrol/ldap/cli/sync.php
4. Verify that user has been given the appropriate role in the course
5. Remove the same user enrolment from external LDAP source and run enrol/ldap/cli/sync.php
6. Verify that role has been removed from user in the course
7. Finally, re-assign the user to the course in the external LDAP source and run enrol/ldap/cli/sync.php
User should be re-enrolled in the course, appearing in the participants list, and if a student, in the gradebook also.
User does not appear in the participants list or the gradebook (if a student). User does appear under Users->Enrolled Users, but without any role listed.
In the database, it appears to be re-enabling the user_enrolments record correctly (changing status from 1 to 0, which is why they are listed on the Enrolled Users screen), but is NOT inserting a role_assignments record (which is why they don't appear as participants).
What I then discovered is that if the student logs in to the Moodle site, the role is correctly assigned on the fly (this can be tested by an admin doing a 'login as' the student). So, the "$enrol->sync_user_enrolments($user)" called when a user logs in is inserting the necessary role_assignment records, but the bulk call "$enrol->sync_enrolments()" from enrol/ldap/cli/sync.php is not creating role_assignment records.
Based on that, my workaround for the moment is to loop through all LDAP users, calling sync_user_enrolments for each user. That worked in restoring the missing role_assignment records on our site.
It's important for the records to exist prior to students logging in, because our teachers need to be able to assess very young students in the gradebook, all of whom have Moodle accounts but wouldn't necessarily log in (being 5 years old!).