LDAP: users without org mappings are marked as disabled (#26650)

* LDAP: users without org mappings are marked as disabled

* Update pkg/services/ldap/ldap.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* LDAP: verifies that unmapped users are tagged as isDisabled

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

pkg/services/ldap/ldap.go

@@ -427,6 +427,12 @@ func (server *Server) buildGrafanaUser(user *ldap.Entry) (*models.ExternalUserIn
 		}
 	}
 
+	// If there are group org mappings configured, but no matching mappings,
+	// the user will not be able to login and will be disabled
+	if len(server.Config.Groups) > 0 && len(extUser.OrgRoles) == 0 {
+		extUser.IsDisabled = true
+	}
+
 	return extUser, nil
 }
 

pkg/services/ldap/ldap_private_test.go

@@ -113,8 +113,37 @@ func TestLDAPPrivateMethods(t *testing.T) {
 			result, err := server.serializeUsers(users)
 
 			So(err, ShouldBeNil)
+			So(result[0].IsDisabled, ShouldBeFalse)
 			So(result[0].Name, ShouldEqual, "Roel")
 		})
+
+		Convey("a user without matching groups should be marked as disabled", func() {
+			server := &Server{
+				Config: &ServerConfig{
+					Groups: []*GroupToOrgRole{{
+						GroupDN: "foo",
+						OrgId:   1,
+						OrgRole: models.ROLE_EDITOR,
+					}},
+				},
+				Connection: &MockConnection{},
+				log:        log.New("test-logger"),
+			}
+
+			entry := ldap.Entry{
+				DN: "dn",
+				Attributes: []*ldap.EntryAttribute{
+					{Name: "memberof", Values: []string{"admins"}},
+				},
+			}
+			users := []*ldap.Entry{&entry}
+
+			result, err := server.serializeUsers(users)
+
+			So(err, ShouldBeNil)
+			So(len(result), ShouldEqual, 1)
+			So(result[0].IsDisabled, ShouldBeTrue)
+		})
 	})
 
 	Convey("validateGrafanaUser()", t, func() {