LDAP integration generates massive amount of invalid logins by deploy tokens

Summary

Starting from version 16.2.7, when customers integrate an LDAP server, the system makes multiple LDAP server requests when using deploy_token to clone repositories.

We've recently received customer feedback about this behavior. In SM environments with large user bases (e.g., 10,000 users), this has resulted in significant unnecessary LDAP server access.

Steps to reproduce

Have a 16.2.7-EE or later( we test at 17.10.1, the problem still here)
Integrate a ldap servier successfully.
create a project and create a deploy_token on this project
on Admin view, go to the Network admin/application_settings/network#js-ip-limits-settings page

keep the settings open(same the action by page)

ApplicationSetting.current.throttle_unauthenticated_enabled # true
ApplicationSetting.current.throttle_authenticated_web_enabled # true

use good deploy_token to clone code

git clone http://gitlab+deploy-token-1:gldt-xxx@gdk.test:3000/ladp-1/h-1.git a116

# gdk 

gdk tail openldap

will trigger ldap server request log.

Reason

RackAttack check

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/rack_attack/request.rb#L175

 def throttle_unauthenticated_git_http?
    git_path? &&
      Gitlab::Throttle.settings.throttle_unauthenticated_git_http_enabled &&
      unauthenticated?
 end

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/auth/request_authenticator.rb#L80

def find_user_from_any_authentication_method(request_format)
  find_user_from_dependency_proxy_token ||
    find_user_from_web_access_token(request_format, scopes: [:api, :read_api]) ||
    find_user_from_feed_token(request_format) ||
    find_user_from_static_object_token(request_format) ||
    find_user_from_job_token ||
    find_user_from_personal_access_token_for_api_or_git ||
    find_user_for_git_or_lfs_request
end

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/auth/auth_finders.rb#L91

Gitlab::Auth.find_with_user_password(login.to_s, password.to_s)

will check ldap service

How to fix (maybe)

Add check deploy_token before check ldap.

https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/auth/request_authenticator.rb#L80

find_user_from_deploy_token(not exist)


def find_user_from_any_authentication_method(request_format)
  find_user_from_dependency_proxy_token ||
    find_user_from_web_access_token(request_format, scopes: [:api, :read_api]) ||
    find_user_from_feed_token(request_format) ||
    find_user_from_static_object_token(request_format) ||
    find_user_from_job_token ||
++  find_user_from_deploy_token ||
    find_user_from_personal_access_token_for_api_or_git ||
    find_user_for_git_or_lfs_request
end

or find_user_from_dependency_proxy_token should skip auth check when deploy_token exist!

def find_user_from_dependency_proxy_token
    return unless dependency_proxy_request?

    token, _ = ActionController::HttpAuthentication::Token.token_and_options(current_request)

    return unless token

    user_or_deploy_token = ::DependencyProxy::AuthTokenService.user_or_deploy_token_from_jwt(token)

    # Do not return deploy tokens
    # See https://gitlab.com/gitlab-org/gitlab/-/issues/342481
    return unless user_or_deploy_token.is_a?(::User)

    user_or_deploy_token
  rescue ActiveRecord::RecordNotFound
    nil # invalid id used return no user
  end

Relation Issue

#337875 (closed)
JH related: https://gitlab.com/gitlab-jh/gitlab-jh-enablement/-/issues/383

Question

Is LDAP necessary need to verify?
Is it necessary to verify LDAP due to security considerations or other reasons?

Edited Jul 10, 2025 by 🤖 GitLab Bot 🤖