sudo -u www-data php -f /app/code/occ ldap:check-user --update
Thanks, unfortunately, it didn't help. First of all, while this might work, the fact that it requires a username of a user means that I can't set up CRON command to sync users easily.
But I also wasn't able to make it work when using email address of user as a username (I didn't find a way to specify separate username), it simply fails with
The given user is not a recognized LDAP user. Which probably makes sense, because
sudo -u www-data php -f /app/code/occ help ldap:check-user says that the parameter should be
the user name as used in Nextcloud so it looks like it's intended to resync users that are already synced to Nextcloud.