HTTP Basic: Access denied with LDAP Auth after 17.11 upgrade
Workaround until a fix is available on 7th May Patch
Option 1
Navigate to Admin area > Settings > General and set Personal access token prefix to a value such as glpat-, which is the default value that GitLab uses.
Option 2
You can disable the following feature flag for now, until the 17.11 patch release fixes the issue.
- Start a Rails console
- Run the following command to disable the feature flag.
Feature.disable(:prevent_token_prefixed_password_fallback_sessionless)Summary
After upgrade to GitLab 17.11, git remote basic authentication over HTTP(s) with LDAP always failed.
Steps to reproduce
- Configure GitLab with LDAP
- Try to clone a project over HTTP(s) with Basic Auth with LDAP user/password
Example Project
Relevant logs and/or screenshots
09:01:50.217699 git.c:476 trace: built-in: git clone https://git.domain.tld/project-x/tools.git
Klone nach 'tools'...
09:01:50.227812 run-command.c:667 trace: run_command: git remote-https origin https://git.domain.tld/project-x/tools.git
09:01:50.227834 run-command.c:759 trace: start_command: /opt/homebrew/opt/git/libexec/git-core/git remote-https origin https://git.domain.tld/project-x/tools.git
09:01:50.233832 git.c:769 trace: exec: git-remote-https origin https://git.domain.tld/project-x/tools.git
09:01:50.234275 run-command.c:667 trace: run_command: git-remote-https origin https://git.domain.tld/project-x/tools.git
09:01:50.234297 run-command.c:759 trace: start_command: /opt/homebrew/opt/git/libexec/git-core/git-remote-https origin https://git.domain.tld/project-x/tools.git
09:01:50.243040 http.c:878 == Info: Couldn't find host git.domain.tld in the .netrc file; using defaults
09:01:50.245244 http.c:878 == Info: Host git.domain.tld:443 was resolved.
09:01:50.245250 http.c:878 == Info: IPv6: (none)
09:01:50.245252 http.c:878 == Info: IPv4: XX.XX.XX.XX
09:01:50.245265 http.c:878 == Info: Trying XX.XX.XX.XX:443...
09:01:50.246149 http.c:878 == Info: Connected to git.domain.tld (XX.XX.XX.XX) port 443
09:01:50.246198 http.c:878 == Info: ALPN: curl offers h2,http/1.1
09:01:50.246326 http.c:878 == Info: (304) (OUT), TLS handshake, Client hello (1):
09:01:50.249186 http.c:878 == Info: CAfile: /etc/ssl/cert.pem
09:01:50.249189 http.c:878 == Info: CApath: none
09:01:50.249201 http.c:878 == Info: (304) (IN), TLS handshake, Server hello (2):
09:01:50.249320 http.c:878 == Info: (304) (IN), TLS handshake, Unknown (8):
09:01:50.249338 http.c:878 == Info: (304) (IN), TLS handshake, Certificate (11):
09:01:50.251120 http.c:878 == Info: (304) (IN), TLS handshake, CERT verify (15):
09:01:50.251272 http.c:878 == Info: (304) (IN), TLS handshake, Finished (20):
09:01:50.251327 http.c:878 == Info: (304) (OUT), TLS handshake, Finished (20):
09:01:50.251334 http.c:878 == Info: SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
09:01:50.251337 http.c:878 == Info: ALPN: server accepted h2
09:01:50.251340 http.c:878 == Info: Server certificate:
09:01:50.251344 http.c:878 == Info: subject: CN=git.domain.tld
09:01:50.251346 http.c:878 == Info: start date: Mar 21 00:00:00 2025 GMT
09:01:50.251349 http.c:878 == Info: expire date: Jun 19 23:59:59 2025 GMT
09:01:50.251353 http.c:878 == Info: subjectAltName: host "git.domain.tld" matched cert's "git.domain.tld"
09:01:50.251358 http.c:878 == Info: issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
09:01:50.251360 http.c:878 == Info: SSL certificate verify ok.
09:01:50.251388 http.c:878 == Info: using HTTP/2
09:01:50.251409 http.c:878 == Info: [HTTP/2] [1] OPENED stream for https://git.domain.tld/project-x/tools.git/info/refs?service=git-upload-pack
09:01:50.251412 http.c:878 == Info: [HTTP/2] [1] [:method: GET]
09:01:50.251413 http.c:878 == Info: [HTTP/2] [1] [:scheme: https]
09:01:50.251415 http.c:878 == Info: [HTTP/2] [1] [:authority: git.domain.tld]
09:01:50.251416 http.c:878 == Info: [HTTP/2] [1] [:path: /project-x/tools.git/info/refs?service=git-upload-pack]
09:01:50.251418 http.c:878 == Info: [HTTP/2] [1] [user-agent: git/2.48.1]
09:01:50.251419 http.c:878 == Info: [HTTP/2] [1] [accept: */*]
09:01:50.251421 http.c:878 == Info: [HTTP/2] [1] [accept-encoding: deflate, gzip]
09:01:50.251423 http.c:878 == Info: [HTTP/2] [1] [accept-language: de-DE, *;q=0.9]
09:01:50.251424 http.c:878 == Info: [HTTP/2] [1] [pragma: no-cache]
09:01:50.251426 http.c:878 == Info: [HTTP/2] [1] [git-protocol: version=2]
09:01:50.251443 http.c:825 => Send header, 0000000236 bytes (0x000000ec)
09:01:50.251446 http.c:837 => Send header: GET /project-x/tools.git/info/refs?service=git-upload-pack HTTP/2
09:01:50.251448 http.c:837 => Send header: Host: git.domain.tld
09:01:50.251449 http.c:837 => Send header: User-Agent: git/2.48.1
09:01:50.251450 http.c:837 => Send header: Accept: */*
09:01:50.251452 http.c:837 => Send header: Accept-Encoding: deflate, gzip
09:01:50.251453 http.c:837 => Send header: Accept-Language: de-DE, *;q=0.9
09:01:50.251454 http.c:837 => Send header: Pragma: no-cache
09:01:50.251455 http.c:837 => Send header: Git-Protocol: version=2
09:01:50.251457 http.c:837 => Send header:
09:01:50.251461 http.c:878 == Info: Request completely sent off
09:01:50.454335 http.c:825 <= Recv header, 0000000013 bytes (0x0000000d)
09:01:50.454402 http.c:837 <= Recv header: HTTP/2 401
09:01:50.454423 http.c:825 <= Recv header, 0000000015 bytes (0x0000000f)
09:01:50.454431 http.c:837 <= Recv header: server: nginx
09:01:50.454453 http.c:825 <= Recv header, 0000000037 bytes (0x00000025)
09:01:50.454463 http.c:837 <= Recv header: date: Wed, 23 Apr 2025 07:01:50 GMT
09:01:50.454475 http.c:825 <= Recv header, 0000000041 bytes (0x00000029)
09:01:50.454483 http.c:837 <= Recv header: content-type: text/plain; charset=utf-8
09:01:50.454499 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:50.454506 http.c:837 <= Recv header: content-length: 352
09:01:50.454517 http.c:825 <= Recv header, 0000000025 bytes (0x00000019)
09:01:50.454523 http.c:837 <= Recv header: cache-control: no-cache
09:01:50.454533 http.c:825 <= Recv header, 0000000014 bytes (0x0000000e)
09:01:50.454540 http.c:837 <= Recv header: vary: Accept
09:01:50.454554 http.c:825 <= Recv header, 0000000040 bytes (0x00000028)
09:01:50.454560 http.c:837 <= Recv header: www-authenticate: Basic realm="GitLab"
09:01:50.454571 http.c:825 <= Recv header, 0000000033 bytes (0x00000021)
09:01:50.454577 http.c:837 <= Recv header: x-content-type-options: nosniff
09:01:50.454586 http.c:825 <= Recv header, 0000000028 bytes (0x0000001c)
09:01:50.454593 http.c:837 <= Recv header: x-download-options: noopen
09:01:50.454602 http.c:825 <= Recv header, 0000000029 bytes (0x0000001d)
09:01:50.454608 http.c:837 <= Recv header: x-frame-options: SAMEORIGIN
09:01:50.454627 http.c:825 <= Recv header, 0000000078 bytes (0x0000004e)
09:01:50.454642 http.c:837 <= Recv header: x-gitlab-meta: {"correlation_id":"XXXXXXXXXXXXXXXXXXXXXXXXX","version":"1"}
09:01:50.454654 http.c:825 <= Recv header, 0000000041 bytes (0x00000029)
09:01:50.454662 http.c:837 <= Recv header: x-permitted-cross-domain-policies: none
09:01:50.454672 http.c:825 <= Recv header, 0000000042 bytes (0x0000002a)
09:01:50.454678 http.c:837 <= Recv header: x-request-id: XXXXXXXXXXXXXXXXXXXXXXXXX
09:01:50.454688 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:50.454694 http.c:837 <= Recv header: x-runtime: 0.189886
09:01:50.454702 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:50.454709 http.c:837 <= Recv header: x-xss-protection: 0
09:01:50.454719 http.c:825 <= Recv header, 0000000045 bytes (0x0000002d)
09:01:50.454725 http.c:837 <= Recv header: strict-transport-security: max-age=63072000
09:01:50.454737 http.c:825 <= Recv header, 0000000002 bytes (0x00000002)
09:01:50.454743 http.c:837 <= Recv header:
09:01:50.454852 http.c:878 == Info: Connection #0 to host git.domain.tld left intact
09:01:50.454964 run-command.c:667 trace: run_command: 'git credential-osxkeychain get'
09:01:50.454979 run-command.c:759 trace: start_command: /bin/sh -c 'git credential-osxkeychain get' 'git credential-osxkeychain get'
09:01:50.472899 git.c:769 trace: exec: git-credential-osxkeychain get
09:01:50.473455 run-command.c:667 trace: run_command: git-credential-osxkeychain get
09:01:50.473477 run-command.c:759 trace: start_command: /opt/homebrew/opt/git/libexec/git-core/git-credential-osxkeychain get
Username for 'https://git.domain.tld': xxxuserxxx
Password for 'https://xxxuserxxx@git.domain.tld':
09:01:56.860504 http.c:878 == Info: Found bundle for host: 0x60000244cb10 [can multiplex]
09:01:56.860582 http.c:878 == Info: Re-using existing connection with host git.domain.tld
09:01:56.860653 http.c:878 == Info: Server auth using Basic with user 'xxxuserxxx'
09:01:56.860740 http.c:878 == Info: [HTTP/2] [3] OPENED stream for https://git.domain.tld/project-x/tools.git/info/refs?service=git-upload-pack
09:01:56.860755 http.c:878 == Info: [HTTP/2] [3] [:method: GET]
09:01:56.860764 http.c:878 == Info: [HTTP/2] [3] [:scheme: https]
09:01:56.860771 http.c:878 == Info: [HTTP/2] [3] [:authority: git.domain.tld]
09:01:56.860779 http.c:878 == Info: [HTTP/2] [3] [:path: /project-x/tools.git/info/refs?service=git-upload-pack]
09:01:56.860788 http.c:878 == Info: [HTTP/2] [3] [authorization: Basic <redacted>]
09:01:56.860795 http.c:878 == Info: [HTTP/2] [3] [user-agent: git/2.48.1]
09:01:56.860802 http.c:878 == Info: [HTTP/2] [3] [accept: */*]
09:01:56.860809 http.c:878 == Info: [HTTP/2] [3] [accept-encoding: deflate, gzip]
09:01:56.860816 http.c:878 == Info: [HTTP/2] [3] [accept-language: de-DE, *;q=0.9]
09:01:56.863543 http.c:878 == Info: [HTTP/2] [3] [pragma: no-cache]
09:01:56.863576 http.c:878 == Info: [HTTP/2] [3] [git-protocol: version=2]
09:01:56.864931 http.c:825 => Send header, 0000000299 bytes (0x0000012b)
09:01:56.865002 http.c:837 => Send header: GET /project-x/tools.git/info/refs?service=git-upload-pack HTTP/2
09:01:56.865019 http.c:837 => Send header: Host: git.domain.tld
09:01:56.865024 http.c:837 => Send header: Authorization: Basic <redacted>
09:01:56.865028 http.c:837 => Send header: User-Agent: git/2.48.1
09:01:56.865032 http.c:837 => Send header: Accept: */*
09:01:56.865035 http.c:837 => Send header: Accept-Encoding: deflate, gzip
09:01:56.865039 http.c:837 => Send header: Accept-Language: de-DE, *;q=0.9
09:01:56.865043 http.c:837 => Send header: Pragma: no-cache
09:01:56.865046 http.c:837 => Send header: Git-Protocol: version=2
09:01:56.865048 http.c:837 => Send header:
09:01:56.865110 http.c:878 == Info: Request completely sent off
09:01:57.038200 http.c:825 <= Recv header, 0000000013 bytes (0x0000000d)
09:01:57.038246 http.c:837 <= Recv header: HTTP/2 401
09:01:57.038268 http.c:825 <= Recv header, 0000000015 bytes (0x0000000f)
09:01:57.038277 http.c:837 <= Recv header: server: nginx
09:01:57.038294 http.c:825 <= Recv header, 0000000037 bytes (0x00000025)
09:01:57.038301 http.c:837 <= Recv header: date: Wed, 23 Apr 2025 07:01:57 GMT
09:01:57.038316 http.c:825 <= Recv header, 0000000041 bytes (0x00000029)
09:01:57.038322 http.c:837 <= Recv header: content-type: text/plain; charset=utf-8
09:01:57.038334 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:57.038341 http.c:837 <= Recv header: content-length: 352
09:01:57.038353 http.c:825 <= Recv header, 0000000025 bytes (0x00000019)
09:01:57.038359 http.c:837 <= Recv header: cache-control: no-cache
09:01:57.038368 http.c:825 <= Recv header, 0000000014 bytes (0x0000000e)
09:01:57.038375 http.c:837 <= Recv header: vary: Accept
09:01:57.038389 http.c:878 == Info: Authentication problem. Ignoring this.
09:01:57.038398 http.c:825 <= Recv header, 0000000040 bytes (0x00000028)
09:01:57.038406 http.c:837 <= Recv header: www-authenticate: Basic realm="GitLab"
09:01:57.038417 http.c:825 <= Recv header, 0000000033 bytes (0x00000021)
09:01:57.038423 http.c:837 <= Recv header: x-content-type-options: nosniff
09:01:57.038433 http.c:825 <= Recv header, 0000000028 bytes (0x0000001c)
09:01:57.038439 http.c:837 <= Recv header: x-download-options: noopen
09:01:57.038450 http.c:825 <= Recv header, 0000000029 bytes (0x0000001d)
09:01:57.038456 http.c:837 <= Recv header: x-frame-options: SAMEORIGIN
09:01:57.038471 http.c:825 <= Recv header, 0000000078 bytes (0x0000004e)
09:01:57.038492 http.c:837 <= Recv header: x-gitlab-meta: {"correlation_id":"XXXXXXXXXXXXXXXXXXXXXXXXX","version":"1"}
09:01:57.038504 http.c:825 <= Recv header, 0000000041 bytes (0x00000029)
09:01:57.038511 http.c:837 <= Recv header: x-permitted-cross-domain-policies: none
09:01:57.038522 http.c:825 <= Recv header, 0000000042 bytes (0x0000002a)
09:01:57.038528 http.c:837 <= Recv header: x-request-id: XXXXXXXXXXXXXXXXXXXXXXXXX
09:01:57.038538 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:57.038544 http.c:837 <= Recv header: x-runtime: 0.161639
09:01:57.038553 http.c:825 <= Recv header, 0000000021 bytes (0x00000015)
09:01:57.038560 http.c:837 <= Recv header: x-xss-protection: 0
09:01:57.038571 http.c:825 <= Recv header, 0000000045 bytes (0x0000002d)
09:01:57.038578 http.c:837 <= Recv header: strict-transport-security: max-age=63072000
09:01:57.038588 http.c:825 <= Recv header, 0000000002 bytes (0x00000002)
09:01:57.038595 http.c:837 <= Recv header:
09:01:57.038672 http.c:878 == Info: Connection #0 to host git.domain.tld left intact
09:01:57.038729 run-command.c:667 trace: run_command: 'git credential-osxkeychain erase'
09:01:57.038747 run-command.c:759 trace: start_command: /bin/sh -c 'git credential-osxkeychain erase' 'git credential-osxkeychain erase'
09:01:57.057710 git.c:769 trace: exec: git-credential-osxkeychain erase
09:01:57.058468 run-command.c:667 trace: run_command: git-credential-osxkeychain erase
09:01:57.058496 run-command.c:759 trace: start_command: /opt/homebrew/opt/git/libexec/git-core/git-credential-osxkeychain erase
remote: HTTP Basic: Access denied. If a password was provided for Git authentication, the password was incorrect or you're required to use a token instead of a password. If a token was provided, it was either incorrect, expired, or improperly scoped. See https://git.domain.tld/help/topics/git/troubleshooting_git.md#error-on-git-fetch-http-basic-access-denied
Schwerwiegend: Authentifizierung fehlgeschlagen für 'https://git.domain.tld/project-x/tools.git/'Results of GitLab environment info
Edited by Drew Blessing