LDAP bind account failure removes users from MR approval rules causing auto-approval and security bypass

Summary

LDAP bind account failures cause users to be removed from merge request approval rules, resulting in empty rules being auto-approved and bypassing code review requirements.

Steps to reproduce

1. Configure GitLab with LDAP authentication and merge request approval rules containing only LDAP users/groups
2. Create merge requests that require approval from these LDAP-based approval rules
3. Cause the LDAP bind account to become locked or unavailable (while LDAP server remains reachable)
4. Wait for LDAP sync operations to run during the outage
5. Observe that LDAP users are removed from approval rules
6. Observe that empty approval rules are marked as "Auto approved"
7. Merge requests can now be merged without any actual code review

Example Project

N/A

What is the current bug behavior?

When LDAP bind account fails:

• LDAP users are removed from merge request approval rules during sync
• Approval rules with no remaining users are marked as "Auto approved"
• Merge requests can be merged without any approvals
• Administrators sporadically lose their admin roles

What is the expected correct behavior?

When LDAP bind account fails:

• Approval rules should retain their configured users even when LDAP is temporarily unavailable
• Merge requests should be blocked (not auto-approved) when approvers cannot be verified
• The system should "fail closed" (deny access) rather than "fail open" (bypass security)

Relevant logs and/or screenshots

I'll add logs as soon as I get them from the customer or replicate it myself.

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

The issue appears related to how GitLab handles empty/unsatisfiable approval rules. According to documentation, GitLab marks approval rules as "Auto approved" when they're impossible to satisfy (no eligible approvers). This behavior should be changed to block merge requests instead when approvers are unavailable due to authentication system failures. Related issue: #6054 (LDAP connection failures removing group memberships)

Patch release information for backports

If the bug fix needs to be backported in a patch release to a version under the maintenance policy, please follow the steps on the patch release runbook for GitLab engineers.

Refer to the internal "Release Information" dashboard for information about the next patch release, including the targeted versions, expected release date, and current status.

High-severity bug remediation

To remediate high-severity issues requiring an internal release for single-tenant SaaS instances, refer to the internal release process for engineers.