2 files changed, 29 insertions, 19 deletions

diff --git a/lib/gitlab/auth/ldap/config.rb b/lib/gitlab/auth/ldap/config.rb
index 88cc840c395..f5931a1d5eb 100644
--- a/lib/gitlab/auth/ldap/config.rb
+++ b/lib/gitlab/auth/ldap/config.rb
@@ -53,6 +53,10 @@ module Gitlab
           raise InvalidProvider.new("Unknown provider (#{provider}). Available providers: #{providers}")
         end
 
+        def self.encrypted_secrets
+          Settings.encrypted(Gitlab.config.ldap.secret_file)
+        end
+
         def initialize(provider)
           if self.class.valid_provider?(provider)
             @provider = provider
@@ -89,8 +93,8 @@ module Gitlab
 
           if has_auth?
             opts.merge!(
-              bind_dn: options['bind_dn'],
-              password: options['password']
+              bind_dn: auth_username,
+              password: auth_password
             )
           end
 
@@ -155,7 +159,7 @@ module Gitlab
         end
 
         def has_auth?
-          options['password'] || options['bind_dn']
+          auth_password || auth_username
         end
 
         def allow_username_or_email_login
@@ -267,12 +271,32 @@ module Gitlab
           {
             auth: {
               method: :simple,
-              username: options['bind_dn'],
-              password: options['password']
+              username: auth_username,
+              password: auth_password
             }
           }
         end
 
+        def secrets
+          @secrets ||= self.class.encrypted_secrets[@provider.delete_prefix('ldap').to_sym]
+        rescue => e
+          Gitlab::AppLogger.error "LDAP encrypted secrets are invalid: #{e.inspect}"
+
+          nil
+        end
+
+        def auth_password
+          return options['password'] if options['password']
+
+          secrets&.fetch(:password, nil)&.chomp
+        end
+
+        def auth_username
+          return options['bind_dn'] if options['bind_dn']
+
+          secrets&.fetch(:bind_dn, nil)&.chomp
+        end
+
         def omniauth_user_filter
           uid_filter = Net::LDAP::Filter.eq(uid, '%{username}')
 
diff --git a/lib/gitlab/auth/ldap/user.rb b/lib/gitlab/auth/ldap/user.rb
index 1405fb4ab95..814c17b7e44 100644
--- a/lib/gitlab/auth/ldap/user.rb
+++ b/lib/gitlab/auth/ldap/user.rb
@@ -11,16 +11,6 @@ module Gitlab
     module Ldap
       class User < Gitlab::Auth::OAuth::User
         extend ::Gitlab::Utils::Override
-        class << self
-          # rubocop: disable CodeReuse/ActiveRecord
-          def find_by_uid_and_provider(uid, provider)
-            identity = ::Identity.with_extern_uid(provider, uid).take
-
-            identity && identity.user
-          end
-          # rubocop: enable CodeReuse/ActiveRecord
-        end
-
         def save
           super('LDAP')
         end
@@ -30,10 +20,6 @@ module Gitlab
           find_by_uid_and_provider || find_by_email || build_new_user
         end
 
-        def find_by_uid_and_provider
-          self.class.find_by_uid_and_provider(auth_hash.uid, auth_hash.provider)
-        end
-
         override :should_save?
         def should_save?
           gl_user.changed? || gl_user.identities.any?(&:changed?)