A user removed/deleted directly from LDAP is removed from the User browser, but the Can Use permissions are still associated with it, adding to the license count.
The Can-Use permissions should be revoked for this user when removed from LDAP.
1) Delete a user directly from the LDAP server, ensuring the user is a member of a group with "Can Use" permissions
2) Check that the user does not appear in the user browser
3) The license count still includes this deleted user
4) The EXTERNAL_MEMBERS still have the group memberships