Have you seen https://docs.moodle.org/30/en/LDAP_enrolment?
If you can't use that, there are a couple of plugins that might help...
https://moodle.org/plugins/enrol_attributes - which would allow you to STOP self enrolment in all courses, but then allow automatic enrolment based on a value in LDAP into the courses that you want internal students to access.
https://moodle.org/plugins/auth_mcae - which will allow you to populate a cohort based on 'auth=ldap'. So all LDAP users would be added to that cohort, then use the Cohort Sync enrolment method instead of self enrolment in your 'internal' courses.