LDAP user filter option in gitlab.yml

Now you are able to specify LDAP user filter string in gitlab.yml.
So its possible to exclude some users from accessing gitlab.
If user with LDAP account not matching this filter will try to login or
use gitlab he will get error message like 'Access denied for your LDAP
account' and will be signed out.

app/controllers/application_controller.rb

@@ -159,10 +159,15 @@ class ApplicationController < ActionController::Base
 
   def ldap_security_check
     if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
-      Gitlab::LDAP::Access.new.update_permissions(current_user)
-
-      current_user.last_credential_check_at = Time.now
-      current_user.save
+      if gitlab_ldap_access.allowed?(current_user)
+        gitlab_ldap_access.update_permissions(current_user)
+        current_user.last_credential_check_at = Time.now
+        current_user.save
+      else
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
     end
   end
 
@@ -170,4 +175,8 @@ class ApplicationController < ActionController::Base
     filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
     @event_filter ||= EventFilter.new(filters)
   end
+
+  def gitlab_ldap_access
+    Gitlab::LDAP::Access.new
+  end
 end

app/controllers/omniauth_callbacks_controller.rb

@@ -20,8 +20,14 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     # if the authentication to LDAP was successful.
     @user = Gitlab::LDAP::User.find_or_create(oauth)
     @user.remember_me = true if @user.persisted?
-    Gitlab::LDAP::Access.new.update_permissions(@user)
-    sign_in_and_redirect(@user)
+
+    if gitlab_ldap_access.allowed?(@user)
+      gitlab_ldap_access.update_permissions(@user)
+      sign_in_and_redirect(@user)
+    else
+      flash[:alert] = "Access denied for your LDAP account."
+      redirect_to new_user_session_path
+    end
   end
 
   private

config/gitlab.yml.example

@@ -114,6 +114,12 @@ production: &base
     #
     base: ''
 
+    # Filter LDAP users
+    #
+    #   Ex. (employeeType=developer)
+    #
+    user_filter: ''
+
     # Base where we can search for groups
     #
     #   Ex. ou=Groups,dc=gitlab,dc=example

lib/gitlab/ldap/access.rb

@@ -7,6 +7,12 @@
 module Gitlab
   module LDAP
     class Access
+      def allowed?(user)
+        !!Gitlab::LDAP::Person.find_by_dn(user.extern_uid)
+      rescue
+        false
+      end
+
       def update_permissions(user)
         # Skip updating group permissions
         # if instance does not use group_base setting

lib/gitlab/ldap/adapter.rb

@@ -69,6 +69,16 @@ module Gitlab
           }
         end
 
+        if config['user_filter'].present?
+          user_filter = Net::LDAP::Filter.construct(config['user_filter'])
+
+          options[:filter] = if options[:filter]
+                               Net::LDAP::Filter.join(options[:filter], user_filter)
+                             else
+                               user_filter
+                             end
+        end
+
         entries = ldap.search(options).select do |entry|
           entry.respond_to? config.uid
         end