From 189251dc2615a051c4d4078e34be6c271f150e98 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Sun, 29 Mar 2026 19:52:49 +0100
Subject: [PATCH] proviers/ldap: avoid concurrent header writes in API Client
 (#21223)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/ldap/search/direct/direct.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/internal/outpost/ldap/search/direct/direct.go b/internal/outpost/ldap/search/direct/direct.go
index d1189a6e4e..f426e96a1c 100644
--- a/internal/outpost/ldap/search/direct/direct.go
+++ b/internal/outpost/ldap/search/direct/direct.go
@@ -83,10 +83,6 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 
 	entries := make([]*ldap.Entry, 0)
 
-	// Create a custom client to set additional headers
-	c := api.NewAPIClient(ds.si.GetAPIClient().GetConfig())
-	c.GetConfig().AddDefaultHeader("X-authentik-outpost-ldap-query", req.Filter)
-
 	scope := req.Scope
 	needUsers, needGroups := ds.si.GetNeededObjects(scope, req.BaseDN, req.FilterObjectClass)
 
@@ -113,7 +109,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 		errs.Go(func() error {
 			if flags.CanSearch {
 				uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-				searchReq, skip := utils.ParseFilterForUser(c.CoreAPI.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
+				searchReq, skip := utils.ParseFilterForUser(ds.si.GetAPIClient().CoreAPI.CoreUsersList(uapisp.Context()).IncludeGroups(true), parsedFilter, false)
 
 				if skip {
 					req.Log().Trace("Skip backend request")
@@ -132,7 +128,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 			} else {
 				if flags.UserInfo == nil {
 					uapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_user")
-					u, _, err := c.CoreAPI.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
+					u, _, err := ds.si.GetAPIClient().CoreAPI.CoreUsersRetrieve(uapisp.Context(), flags.UserPk).Execute()
 					uapisp.Finish()
 
 					if err != nil {
@@ -155,7 +151,7 @@ func (ds *DirectSearcher) Search(req *search.Request) (ldap.ServerSearchResult,
 	if needGroups {
 		errs.Go(func() error {
 			gapisp := sentry.StartSpan(errCtx, "authentik.providers.ldap.search.api_group")
-			searchReq, skip := utils.ParseFilterForGroup(c.CoreAPI.CoreGroupsList(gapisp.Context()).IncludeUsers(true).IncludeChildren(true).IncludeParents(true), parsedFilter, false)
+			searchReq, skip := utils.ParseFilterForGroup(ds.si.GetAPIClient().CoreAPI.CoreGroupsList(gapisp.Context()).IncludeUsers(true).IncludeChildren(true).IncludeParents(true), parsedFilter, false)
 			if skip {
 				req.Log().Trace("Skip backend request")
 				return nil