Don't accidentally unblock auto created users from Active Directory.

CHANGELOG

@@ -52,6 +52,7 @@ v 7.11.0 (unreleased)
   - Add current_sign_in_at to UserFull REST api.
   - Make Sidekiq MemoryKiller shutdown signal configurable
   - Add "Create Merge Request" buttons to commits and branches pages and push event.
+  - Fix automatic blocking of auto-created users from Active Directory.
 
 v 7.10.2
   - Fix CI links on MR page

lib/gitlab/ldap/access.rb

@@ -40,7 +40,7 @@ module Gitlab
             user.block unless user.blocked?
             false
           else
-            user.activate if user.blocked?
+            user.activate if user.blocked? && !ldap_config.block_auto_created_users
             true
           end
         else

spec/lib/gitlab/ldap/access_spec.rb

@@ -16,7 +16,7 @@ describe Gitlab::LDAP::Access do
     context 'when the user is found' do
       before { Gitlab::LDAP::Person.stub(find_by_dn: :ldap_user) }
 
-      context 'and the user is diabled via active directory' do
+      context 'and the user is disabled via active directory' do
         before { Gitlab::LDAP::Person.stub(disabled_via_active_directory?: true) }
 
         it { is_expected.to be_falsey }
@@ -36,11 +36,30 @@ describe Gitlab::LDAP::Access do
 
         it { is_expected.to be_truthy }
 
+        context 'when auto-created users are blocked' do
+
+          before do
+            Gitlab::LDAP::Config.any_instance.stub(block_auto_created_users: true)
+          end
+
+          it "does not unblock user in GitLab" do
+            access.allowed?
+            user.should be_blocked
+          end
+        end
+
+        context "when auto-created users are not blocked" do
+
+          before do
+            Gitlab::LDAP::Config.any_instance.stub(block_auto_created_users: false)
+          end
+
           it "should unblock user in GitLab" do
             access.allowed?
             user.should_not be_blocked
           end
         end
+      end
 
       context 'without ActiveDirectory enabled' do
         before do