In the documentation
https://www.zabbix.com/documentation/6.4/en/manual/web_interface/frontend_sections/users/authentication/ldap
paragraph

{qoute}
>>LDAP JIT provisioning is available only when LDAP is configured to use "anonymous" or "special user" for binding. For direct user binding, provisioning will be made only for user login action, because logging in user password is used for such type of binding.{qoute}

confuses and it's hard to understand it in correct way
There is 3 ways to bind LDAP: anonymous user, user that is dedicated ("special user" ?) for zabbix ldap binding, same user that is used for login to zabbix is used to bind LDAP (direct user binding?)
If the last option is used zabbix do not 'remember' user password and can do provisioning only through login, so 'Provisioning now' buttons won't work in that case

"Special user" treated as a special type of user in the domain, but it's not correct

Also example for 'direct user binding' is quite pure

Note: To configure an LDAP server for direct user binding, append an attribute uid=%{user} to the Base DN parameter (for example,uid=%{user},dc=example,dc=com) and leave BindDN and Bind password parameters empty. When authenticating, a placeholder %{user} will be replaced by the username entered during login.

and probably should be moved at the beginning to explain 3 ways to bind ldap server

Regards, Elina