Remove prevent_token_prefixed_password_fallback_sessionless FF

Daniele Braccianirequested to merge
db/431923/fix-for-pat-ldap-lockout-prevention into master

What does this MR do and why?

Remove prevent_token_prefixed_password_fallback_sessionless FF

The feature flag was introduced to prevent recognized token types from falling back to database or LDAP authentication when invalid, avoiding LDAP account lockouts during Git over HTTPS authentication.

The feature has been successfully rolled out and is now permanently enabled. This removes the feature flag definition and completes the cleanup.

Closes #431923 (closed)

Changelog: removed

References

Screenshots or screen recordings

Before After
Many LDAP login attempts No LDAP login attempts

How to set up and validate locally

  1. Integrate a ldap server successfully. See LDAP GDK documentation.
  2. Create a project and create a PAT on this project
  3. Open LDAP logs with gdk tail openldap
  4. Run the script to clone the project
  5. Revoke the PAT while the script is still running
  6. git clone will start to fail

Expected result:

Before fix: LDAP server logs show authentication attempts
After fix: No LDAP server requests in logs

Script used

#!/bin/bash

# Configuration
GITLAB_URL="127.0.0.1:3000"
PROJECT_PATH="gitlab-org/gitlab-test"        # Replace with target project path
USERNAME="john"            # LDAP Account username, provided by default by gdk openldap
PAT="<YOUR-PAY>".      # Add the PAT generated
CLONE_DIR="test-clone"
SLEEP_INTERVAL=0.1                         # Seconds between attempts
MAX_ATTEMPTS=1000                         # Maximum number of attempts

echo "Starting clone script - will attempt $MAX_ATTEMPTS clones"
echo "Target: $GITLAB_URL/$PROJECT_PATH"
echo "Username: $USERNAME"
echo "Press Ctrl+C to stop"
echo "----------------------------------------"

attempt=1
while [ $attempt -le $MAX_ATTEMPTS ]; do
    echo "Attempt $attempt at $(date)"

    # Remove previous clone directory if it exists
    if [ -d "$CLONE_DIR" ]; then
        rm -rf "$CLONE_DIR"
    fi

    # Attempt to clone using HTTPS with PAT
    git clone "http://$USERNAME:$PAT@$GITLAB_URL/$PROJECT_PATH.git" "$CLONE_DIR" 2>&1

    clone_result=$?

    if [ $clone_result -eq 0 ]; then
        echo "✅ Clone successful"
        rm -rf "$CLONE_DIR"  # Clean up successful clone
    else
        echo "❌ Clone failed (exit code: $clone_result)"
    fi

    echo "Waiting $SLEEP_INTERVAL seconds before next attempt..."
    sleep $SLEEP_INTERVAL

    attempt=$((attempt + 1))
done

echo "Script completed after $MAX_ATTEMPTS attempts"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Daniele Bracciani

Merge request reports