3 files changed, 40 insertions, 2 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 9ed46c23942..af1a80ff799 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
   before_filter :check_password_expiration
   around_filter :set_current_user_for_thread
   before_filter :add_abilities
+  before_filter :ldap_security_check
   before_filter :dev_tools if Rails.env == 'development'
   before_filter :default_headers
   before_filter :add_gon_variables
@@ -179,11 +180,29 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def ldap_security_check
+    if current_user && current_user.ldap_user? && current_user.requires_ldap_check?
+      if gitlab_ldap_access.allowed?(current_user)
+        gitlab_ldap_access.update_permissions(current_user)
+        current_user.last_credential_check_at = Time.now
+        current_user.save
+      else
+        sign_out current_user
+        flash[:alert] = "Access denied for your LDAP account."
+        redirect_to new_user_session_path
+      end
+    end
+  end
+
   def event_filter
     filters = cookies['event_filter'].split(',') if cookies['event_filter'].present?
     @event_filter ||= EventFilter.new(filters)
   end
 
+  def gitlab_ldap_access
+    Gitlab::LDAP::Access.new
+  end
+
   # JSON for infinite scroll via Pager object
   def pager_json(partial, count)
     html = render_to_string(
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index a40ce7212fe..9364181eaa4 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -121,7 +121,6 @@ production: &base
   ldap:
     enabled: false
     host: '_your_ldap_server'
-    base: '_the_base_where_you_search_for_users'
     port: 636
     uid: 'sAMAccountName'
     method: 'ssl' # "tls" or "ssl" or "plain"
@@ -138,6 +137,20 @@ production: &base
     # disable this setting, because the userPrincipalName contains an '@'.
     allow_username_or_email_login: true
 
+    # Base where we can search for users
+    #
+    #   Ex. ou=People,dc=gitlab,dc=example
+    #
+    base: ''
+
+    # Filter LDAP users
+    #
+    #   Format: RFC 4515
+    #   Ex. (employeeType=developer)
+    #
+    user_filter: ''
+
+
   ## OmniAuth settings
   omniauth:
     # Allow login via Twitter, Google, etc. using OmniAuth providers
diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index ebc9fef07b4..69aad3748b3 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -35,8 +35,14 @@ module API
           user = key.user
 
           return false if user.blocked?
+
           if Gitlab.config.ldap.enabled
-            return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
+            if user.ldap_user?
+              # Check if LDAP user exists and match LDAP user_filter
+              unless Gitlab::LDAP::Access.new.allowed?(user)
+                return false
+              end
+            end
           end
 
           action = case git_cmd