Check if LDAP user was removed or blocked when use git over ssh

2 files changed, 11 insertions, 0 deletions

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 79f8eb3a543..ed6b50c3a6a 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -35,6 +35,7 @@ module API
           user = key.user
 
           return false if user.blocked?
+          return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
 
           action = case git_cmd
                    when *DOWNLOAD_COMMANDS
diff --git a/lib/gitlab/ldap/user.rb b/lib/gitlab/ldap/user.rb
index 260bacfeeb0..78fc5dab9cb 100644
--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -71,6 +71,16 @@ module Gitlab
           find_by_uid(ldap_user.dn) if ldap_user
         end
 
+        # Check LDAP user existance by dn. User in git over ssh check
+        #
+        # It covers 2 cases:
+        # * when ldap account was removed
+        # * when ldap account was deactivated by change of OU membership in 'dn'
+        def blocked?(dn)
+          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          ldap.connection.search(base: dn, size: 1).blank?
+        end
+
         private
 
         def find_by_uid(uid)