Option to disable LDAP auto-create users

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Release notes

Problem to solve

Currently there are 2 options to stop LDAP users from automatically signing in:

Specify a user-filter (and add an LDAP attribute for allowed users for example)
Configure GitLab to auto-create but block the user until admin approves

There are some scenarios where these options are not a feasible way of managing users.

A large client has outlined one such scenario (internal):

... my company has many GitLab instances. 
... require multiple LDAP groups to be created and maintained: one group for each of our many GitLab instances to guarantee that users are only signing into the GitLab instances they are authorized to. 
And it would also require membership management:

* Some users, auditors for instance, need access to all instances.

* Some users need access to one or more instances but not all instances.

* Some users need access to one instance today and tomorrow need access to a different instance.

* And plus the cases where users leave the company or users no longer need access to GitLab.

Proposal

The ideal solution is to have an option to disable the auto-creation of an authenticated LDAP user.

That is, an option should exist that would only allow a user to sign in via LDAP if their identity is already connected to an account in GitLab.

Edited Aug 28, 2025 by 🤖 GitLab Bot 🤖