This task tracks various enhancement tasks around account/group membership handling in the WMF systems.
Is there a way to disable an account in LDAP that would then fail for authentication for all ancillary services that check LDAP? We have run into wanting this a few times with spammers who hit Phab and then wikitech or gerrit. The common point of authentication is there but we end up playing whackamole in every venue individually. We have also wanted this for a Tool account or service user that is suspected as compromised and the workarounds are very specific and hacky.