EE port: add app-wide LDAP membership lock field

db/migrate/20190604091310_add_ldap_membership_lock.rb

+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLdapMembershipLock < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:application_settings, :lock_memberships_to_ldap)
+  end
+end

db/schema.rb

@@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do
     t.text "encrypted_lets_encrypt_private_key_iv"
     t.boolean "dns_rebinding_protection_enabled", default: true, null: false
     t.boolean "default_project_deletion_protection", default: false, null: false
+    t.boolean "lock_memberships_to_ldap", default: false, null: false
     t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
   end
 

doc/administration/auth/ldap-ee.md

@@ -183,6 +183,15 @@ group, as opposed to the full DN.
 
 1. [Restart GitLab][restart] for the changes to take effect.
 
+## Global group memberships lock
+
+"Lock memberships to LDAP synchronization" setting allows instance administrators 
+to lock down user abilities to invite new members to a group. When enabled following happens:
+
+1. Only administrator can manage memberships of any group including access levels.
+2. Users are not allowed to share project with other groups or invite members to a project created in a group.
+
+
 ## Adjusting LDAP user sync schedule
 
 > Introduced in GitLab Enterprise Edition Starter.