diff --git a/README.md b/README.md
index 49118cbb..a4c3cc87 100644
--- a/README.md
+++ b/README.md
@@ -1015,6 +1015,7 @@ Below is the complete list of available options that can be used to customize yo
 | `LDAP_USER_ATTRIBUTE_FIRSTNAME` | Attribute field for the forename of a user. Default to `givenName` |
 | `LDAP_USER_ATTRIBUTE_LASTNAME` |  Attribute field for the surname of a user. Default to `sn` |
 | `LDAP_LOWERCASE_USERNAMES` | GitLab will lower case the username for the LDAP Server. Defaults to `false` |
+| `LDAP_PREVENT_LDAP_SIGN_IN` | Set to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false` |
 | `OAUTH_ENABLED` | Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. |
 | `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` | Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. |
 | `OAUTH_ALLOW_SSO` | Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. |
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index e2dae1bf..ceba8384 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -593,7 +593,7 @@ production: &base
   #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
     enabled: {{LDAP_ENABLED}}
-    prevent_ldap_sign_in: false
+    prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}}
 
     # This setting controls the number of seconds between LDAP permission checks
     # for each user. After this time has expired for a given user, their next
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index 1f224973..409b1ca7 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -344,6 +344,7 @@ LDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn}
 LDAP_LOWERCASE_USERNAMES="${LDAP_LOWERCASE_USERNAMES:-false}"
 LDAP_LABEL=${LDAP_LABEL:-LDAP}
 LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}
+LDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false}
 case ${LDAP_UID} in
   userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;;
   *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 28497d46..a2a3f4dd 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -439,7 +439,8 @@ gitlab_configure_ldap() {
     LDAP_USER_ATTRIBUTE_NAME \
     LDAP_USER_ATTRIBUTE_FIRSTNAME \
     LDAP_USER_ATTRIBUTE_LASTNAME \
-    LDAP_LABEL
+    LDAP_LABEL \
+    LDAP_PREVENT_LDAP_SIGN_IN
 }
 
 gitlab_configure_oauth_cas3() {