diff --git a/db/migrate/20190604091310_add_ldap_membership_lock.rb b/db/migrate/20190604091310_add_ldap_membership_lock.rb
new file mode 100644
index 0000000000000000000000000000000000000000..1afc6aeefd59902c215def586d0bbfb3504396be
--- /dev/null
+++ b/db/migrate/20190604091310_add_ldap_membership_lock.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLdapMembershipLock < ActiveRecord::Migration[5.1]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false)
+  end
+
+  def down
+    remove_column(:application_settings, :lock_memberships_to_ldap)
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 86a099d28b2751f8b484798cec804c3b44d7699a..4ed7c0cb248a9336569d75de8814dadc02420029 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do
     t.text "encrypted_lets_encrypt_private_key_iv"
     t.boolean "dns_rebinding_protection_enabled", default: true, null: false
     t.boolean "default_project_deletion_protection", default: false, null: false
+    t.boolean "lock_memberships_to_ldap", default: false, null: false
     t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
   end
 
diff --git a/doc/administration/auth/ldap-ee.md b/doc/administration/auth/ldap-ee.md
index 30095d357051c4321733621c26a0a9752a65fc75..15f093bb62d4ef4c295b26305e9c2fb47d95fa67 100644
--- a/doc/administration/auth/ldap-ee.md
+++ b/doc/administration/auth/ldap-ee.md
@@ -183,6 +183,15 @@ group, as opposed to the full DN.
 
 1. [Restart GitLab][restart] for the changes to take effect.
 
+## Global group memberships lock
+
+"Lock memberships to LDAP synchronization" setting allows instance administrators 
+to lock down user abilities to invite new members to a group. When enabled following happens:
+
+1. Only administrator can manage memberships of any group including access levels.
+2. Users are not allowed to share project with other groups or invite members to a project created in a group.
+
+
 ## Adjusting LDAP user sync schedule
 
 > Introduced in GitLab Enterprise Edition Starter.