From baa65e89b90f21047e586c5842a1b7d499625fd0 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 7 Oct 2013 16:06:30 +0300
Subject: [PATCH] Check if LDAP user was removed or blocked when use git over
 ssh

---
 lib/api/internal.rb     |  1 +
 lib/gitlab/ldap/user.rb | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index 79f8eb3a543..ed6b50c3a6a 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -35,6 +35,7 @@ module API
           user = key.user
 
           return false if user.blocked?
+          return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
 
           action = case git_cmd
                    when *DOWNLOAD_COMMANDS
diff --git a/lib/gitlab/ldap/user.rb b/lib/gitlab/ldap/user.rb
index 260bacfeeb0..78fc5dab9cb 100644
--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -71,6 +71,16 @@ module Gitlab
           find_by_uid(ldap_user.dn) if ldap_user
         end
 
+        # Check LDAP user existance by dn. User in git over ssh check
+        #
+        # It covers 2 cases:
+        # * when ldap account was removed
+        # * when ldap account was deactivated by change of OU membership in 'dn'
+        def blocked?(dn)
+          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          ldap.connection.search(base: dn, size: 1).blank?
+        end
+
         private
 
         def find_by_uid(uid)