You will not be logged out. They will be unable to establish new sessions, but existing sessions will continue to function indefinitely.

We can not quickly or easily detect that an LDAP account has become disabled.

We would need to store the user's password and make an LDAP request on every page to make sure the account was still active if we wanted to log them out immediately. This has nontrivial security, performance, and scalability implications, and is impractical or impossible for many other types of accounts. In the general case, it would be incorrect: even if your LDAP account is disabled, you may have other valid authentication methods attached to Phabricator and still be a legitimate user.

To prevent a user from accessing Phabricator, disable their Phabricator account. This will immediately disable all authentication methods associated with their account.

There may be more tools for passive synchronization after T5953, but they will probably be limited, and are unlikely to poll every LDAP account every few seconds.

You will be able to disable users via API after user.edit (T10512 is an adjacent task), which would let you build passive synchronization yourself. You can probably do this with user.disable today until user.edit comes online.