From 13722ed374d7f4cf5b51ae5b9ad73ad343c27843 Mon Sep 17 00:00:00 2001
From: Magdalena Frankiewicz <mfrankiewicz@gitlab.com>
Date: Wed, 17 Dec 2025 17:19:11 +0100
Subject: [PATCH 1/4] Add note about LDAP issues affecting MR approval rules

---
 .../auth/ldap/ldap-troubleshooting.md         | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index f9566c234d0939..66357d275b9b44 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -392,6 +392,27 @@ adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain') # If `main` is the LDAP pr
 Gitlab::Auth::Ldap::Person.find_by_uid('<uid>', adapter)
 ```
 
+### Merge request approval rules
+
+When LDAP connectivity issues occur, users may be removed from merge request approval rules during sync operations. This can result in approval rules becoming empty and being marked as "Auto approved", which bypasses code review requirements.
+
+#### LDAP issues affecting approval rules
+
+If your LDAP server becomes temporarily unavailable or the bind account fails:
+
+- Users configured in LDAP-based approval rules may be removed during the next sync cycle
+- Approval rules with no remaining users are marked as "Auto approved"
+- Merge requests can be merged without any approvals, bypassing security controls
+
+To prevent this scenario:
+
+- Ensure your LDAP server has high availability and reliable connectivity
+- Monitor LDAP sync operations for failures
+- Consider using [merge request approval policies](../../../user/application_security/policies/merge_request_approval_policies/) instead of standard approval rules for critical security requirements, as they provide stronger enforcement
+- For more information about approval rule behavior, see [Invalid rules](../../../user/project/merge_requests/approvals/index.md#invalid-rules)
+
+If users are removed from approval rules due to LDAP issues, they are not automatically re-added when LDAP connectivity is restored. You may need to manually restore approval rules or recover from a backup.
+
 ### Group memberships
 
 {{< details >}}
-- 
GitLab


From 4335521bdf171da434859bf8875e18d475e661cb Mon Sep 17 00:00:00 2001
From: Magdalena Frankiewicz <mfrankiewicz@gitlab.com>
Date: Wed, 17 Dec 2025 17:25:58 +0100
Subject: [PATCH 2/4] Apply Duo review suggestions

---
 doc/administration/auth/ldap/ldap-troubleshooting.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index 66357d275b9b44..8eaacbfdb7e331 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -408,8 +408,10 @@ To prevent this scenario:
 
 - Ensure your LDAP server has high availability and reliable connectivity
 - Monitor LDAP sync operations for failures
-- Consider using [merge request approval policies](../../../user/application_security/policies/merge_request_approval_policies/) instead of standard approval rules for critical security requirements, as they provide stronger enforcement
-- For more information about approval rule behavior, see [Invalid rules](../../../user/project/merge_requests/approvals/index.md#invalid-rules)
+- Consider using [merge request approval policies](../../../user/application_security/policies/merge_request_approval_policies/) instead of standard approval rules for critical security requirements,
+  as they provide stronger enforcement
+- For more information about approval rule behavior,
+  see [Invalid rules](../../../user/project/merge_requests/approvals/index.md#invalid-rules)
 
 If users are removed from approval rules due to LDAP issues, they are not automatically re-added when LDAP connectivity is restored. You may need to manually restore approval rules or recover from a backup.
 
-- 
GitLab


From bc711eac6227eecacb846ac7efa8d7987a5ca718 Mon Sep 17 00:00:00 2001
From: Magdalena Frankiewicz <mfrankiewicz@gitlab.com>
Date: Wed, 17 Dec 2025 17:26:32 +0100
Subject: [PATCH 3/4] Apply duo review

---
 doc/administration/auth/ldap/ldap-troubleshooting.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index 8eaacbfdb7e331..bd51bc0328ad84 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -394,7 +394,8 @@ Gitlab::Auth::Ldap::Person.find_by_uid('<uid>', adapter)
 
 ### Merge request approval rules
 
-When LDAP connectivity issues occur, users may be removed from merge request approval rules during sync operations. This can result in approval rules becoming empty and being marked as "Auto approved", which bypasses code review requirements.
+When LDAP connectivity issues occur, users may be removed from merge request approval rules during sync operations.
+This can result in approval rules becoming empty and being marked as "Auto approved", which bypasses code review requirements.
 
 #### LDAP issues affecting approval rules
 
@@ -413,7 +414,8 @@ To prevent this scenario:
 - For more information about approval rule behavior,
   see [Invalid rules](../../../user/project/merge_requests/approvals/index.md#invalid-rules)
 
-If users are removed from approval rules due to LDAP issues, they are not automatically re-added when LDAP connectivity is restored. You may need to manually restore approval rules or recover from a backup.
+If users are removed from approval rules due to LDAP issues, they are not automatically re-added when LDAP connectivity is restored.
+You may need to manually restore approval rules or recover from a backup.
 
 ### Group memberships
 
-- 
GitLab


From e4a4313a4c5349136a543493ba611b9b8f9a2e9c Mon Sep 17 00:00:00 2001
From: Magdalena Frankiewicz <mfrankiewicz@gitlab.com>
Date: Thu, 18 Dec 2025 12:08:41 +0100
Subject: [PATCH 4/4] Apply reviewer suggestions

---
 .../auth/ldap/ldap-troubleshooting.md         | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index bd51bc0328ad84..e5cc77210c3d14 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -394,25 +394,27 @@ Gitlab::Auth::Ldap::Person.find_by_uid('<uid>', adapter)
 
 ### Merge request approval rules
 
-When LDAP connectivity issues occur, users may be removed from merge request approval rules during sync operations.
+When LDAP connectivity issues occur, users might be removed from merge request approval rules during sync operations.
 This can result in approval rules becoming empty and being marked as "Auto approved", which bypasses code review requirements.
 
-#### LDAP issues affecting approval rules
+#### Approval rules fail when LDAP connectivity is lost
 
 If your LDAP server becomes temporarily unavailable or the bind account fails:
 
-- Users configured in LDAP-based approval rules may be removed during the next sync cycle
-- Approval rules with no remaining users are marked as "Auto approved"
-- Merge requests can be merged without any approvals, bypassing security controls
+- Users configured in LDAP-based approval rules may be removed during the next sync cycle.
+- Approval rules with no remaining users are marked as "Auto approved".
+- Merge requests can be merged without any approvals, bypassing security controls.
 
 To prevent this scenario:
 
-- Ensure your LDAP server has high availability and reliable connectivity
-- Monitor LDAP sync operations for failures
-- Consider using [merge request approval policies](../../../user/application_security/policies/merge_request_approval_policies/) instead of standard approval rules for critical security requirements,
-  as they provide stronger enforcement
-- For more information about approval rule behavior,
-  see [Invalid rules](../../../user/project/merge_requests/approvals/index.md#invalid-rules)
+- Ensure your LDAP server has high availability and reliable connectivity.
+- Monitor LDAP sync operations for failures.
+- Use [merge request approval policies](../../../user/application_security/policies/merge_request_approval_policies.md)
+  instead of standard approval rules for critical security requirements.
+  Approval policies provide stronger enforcement and don't fail to open.
+
+For more information about approval rule behavior,
+see [Invalid rules](../../../user/project/merge_requests/approvals/_index.md#invalid-rules).
 
 If users are removed from approval rules due to LDAP issues, they are not automatically re-added when LDAP connectivity is restored.
 You may need to manually restore approval rules or recover from a backup.
-- 
GitLab