Block LDAP user when they are no longer found in the LDAP server

bf5683f8 · Drew Blessing · 14165e59 · bf5683f8 · bf5683f8 · bf5683f8
Commit bf5683f8 authored Dec 08, 2015 by Drew Blessing
4 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -23,6 +23,7 @@ v 8.3.0 (unreleased)
  - Run custom Git hooks when branch is created or deleted.
  - Fix bug when simultaneously accepting multiple MRs results in MRs that are of "merged" status, but not merged to the target branch
  - Add languages page to graphs
+  - Block LDAP user when they are no longer found in the LDAP server

 v 8.2.3
  - Fix application settings cache not expiring after changes (Stan Hu)

--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -13,6 +13,12 @@ An LDAP user who is allowed to change their email on the LDAP server can [take o

 We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName'  attribute on the LDAP server.

+If a user is deleted from the LDAP server, they will be blocked in GitLab as well.
+Users will be immediately blocked from logging in. However, there is an LDAP check
+cache time of one hour. The means users that are already logged in or are using Git
+over SSH will still be able to access GitLab for up to one hour. Manually block
+the user in the GitLab Admin area to immediately block all access.
+
 ## Configuring GitLab for LDAP integration

 To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`.
@@ -192,4 +198,4 @@ Not supported by GitLab's configuration options.
 When setting `method: ssl`, the underlying authentication method used by 
 `omniauth-ldap` is `simple_tls`.  This method establishes TLS encryption with 
 the LDAP server before any LDAP-protocol data is exchanged but no validation of
-the LDAP server's SSL certificate is performed.
\ No newline at end of file
+the LDAP server's SSL certificate is performed.
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -37,13 +37,15 @@ module Gitlab

          # Block user in GitLab if he/she was blocked in AD
          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
-            user.block unless user.blocked?
+            user.block
            false
          else
            user.activate if user.blocked? && !ldap_config.block_auto_created_users
            true
          end
        else
+          # Block the user if they no longer exist in LDAP/AD
+          user.block 
          false
        end
      rescue

--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -13,6 +13,11 @@ describe Gitlab::LDAP::Access do
      end

      it { is_expected.to be_falsey }
+      
+      it 'should block user in GitLab' do
+        access.allowed?
+        expect(user).to be_blocked
+      end
    end

    context 'when the user is found' do