Any user provisioned through LDAP integration are able to create repositories under his own organization. It should be possible to disable this behavior and let users access only repositories based on team/organization membership.