Skip to content

Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms

What does this MR do?

We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.

Are there points in the code the reviewer needs to double check?


Why was this MR needed?

Hitting LDAP is expensive, especially when we're trying to authenticate a user's account with bogus passwords. It was causing account lockouts for some LDAP/AD systems.

Screenshots (if relevant)

Does this MR meet the acceptance criteria?

What are the relevant issue numbers?

Closes #24462 (closed)

Merge request reports