Hi Robert. I concur this is a pain point for many LDAP implementations over the years. I agree with you that uniqueness should some how have a way to be ensured via LDAP configuration settings. In other types of LDAP integrations I have been involved with, when dealing specifically with AD, we decided to use the objectGUID as the "key" between LDAP user objects and user accounts in the LMS, since the objectGUID attribute is guaranteed unique and non-changing. This idea of using the objectGUID wasn't specifically implemented in the Moodle LDAP auth plugin, but in another type of data sync. However, the idea remains the same and could be applied to the LDAP auth plugin. I would think it shouldn't be too hard, yet it has been a while since I last scoured over the LDAP auth plugin code....
I have considered on many occasions of developing a patch to make this better. At this point I had not yet checked in Moodle Tracker issues to see if a patch might already exist, but since you brought this up and it is a subject I am familiar with I am going to go searching now. Maybe we'll get a nice surprise and find out that a fix exists.
I concur with Emma, that for now AFAIK the only workaround is to manually make updates to LDAP and Moodle user profile manually/simultaneously, and it is not ideal.