Reduce hits to LDAP on Git HTTP auth by reordering auth mechanisms
What does this MR do?
We accept half a dozen different authentication mechanisms for Git over HTTP. Fairly high in the list we were checking user password, which would also query LDAP. In the case of LFS, OAuth tokens or personal access tokens, we were unnecessarily hitting LDAP when the authentication will not succeed. This was causing some LDAP/AD systems to lock the account. Now, user password authentication is the last mechanism tried since it's the most expensive.
Are there points in the code the reviewer needs to double check?
No.
Why was this MR needed?
Hitting LDAP is expensive, especially when we're trying to authenticate a user's account with bogus passwords. It was causing account lockouts for some LDAP/AD systems.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated -
API support added - Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master
(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Closes #24462 (closed)