Respect LDAP user filter for SSH and Git over HTTP

Remove LDAP::User#blocked? method because it duplciate
existing functionality of LDAP::Access#allowed? method
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

lib/api/internal.rb

@@ -35,7 +35,13 @@ module API
           user = key.user
 
           return false if user.blocked?
-          return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
+
+          if user.ldap_user?
+            # Check if LDAP user exists and match LDAP user_filter
+            unless Gitlab::LDAP::Access.allowed?(user.extern_uid)
+              return false
+            end
+          end
 
           action = case git_cmd
                    when *DOWNLOAD_COMMANDS

lib/gitlab/ldap/user.rb

@@ -62,8 +62,16 @@ module Gitlab
           return nil unless ldap_conf.enabled && login.present? && password.present?
 
           ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          filter = Net::LDAP::Filter.eq(ldap.uid, login)
+
+          # Apply LDAP user filter if present
+          if ldap_conf['user_filter'].present?
+            user_filter = Net::LDAP::Filter.construct(ldap_conf['user_filter'])
+            filter = Net::LDAP::Filter.join(filter, user_filter)
+          end
+
           ldap_user = ldap.bind_as(
-            filter: Net::LDAP::Filter.eq(ldap.uid, login),
+            filter: filter,
             size: 1,
             password: password
           )
@@ -71,16 +79,6 @@ module Gitlab
           find_by_uid(ldap_user.dn) if ldap_user
         end
 
-        # Check LDAP user existance by dn. User in git over ssh check
-        #
-        # It covers 2 cases:
-        # * when ldap account was removed
-        # * when ldap account was deactivated by change of OU membership in 'dn'
-        def blocked?(dn)
-          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-          ldap.connection.search(base: dn, size: 1).blank?
-        end
-
         private
 
         def find_by_uid(uid)