From b3e7a01f104ff2eb4c8b59a9f0f972a979484a1b Mon Sep 17 00:00:00 2001
From: Marcus Pamelia <pamelia@users.noreply.github.com>
Date: Thu, 16 Apr 2026 13:58:08 +0200
Subject: [PATCH] sources/ldap: catch Google LDAP rate-limit errors during
 schema fetch (#21638)

When connecting to Google Secure LDAP, the ldap3 library fetches schema
info during bind() with get_info=ALL. Google rate-limits these schema
queries, raising LDAPAdminLimitExceededResult, and also returns
unsupported attributes, raising LDAPAttributeError.

The existing fallback logic retries with get_info=NONE but only catches
LDAPSchemaError and LDAPInsufficientAccessRightsResult. Add the two
missing exception types so the fallback works for Google Secure LDAP.

Fixes sync failures when using Google Secure LDAP as a federation source,
where every sync page task opens a new connection and the concurrent
schema fetches exhaust Google's rate budget.
---
 authentik/sources/ldap/models.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/authentik/sources/ldap/models.py b/authentik/sources/ldap/models.py
index f7fe889a97..05492a363a 100644
--- a/authentik/sources/ldap/models.py
+++ b/authentik/sources/ldap/models.py
@@ -12,7 +12,13 @@ from django.db import connection, models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
-from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
+from ldap3.core.exceptions import (
+    LDAPAdminLimitExceededResult,
+    LDAPAttributeError,
+    LDAPException,
+    LDAPInsufficientAccessRightsResult,
+    LDAPSchemaError,
+)
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
@@ -278,10 +284,17 @@ class LDAPSource(IncomingSyncSource):
             successful = conn.bind()
             if successful:
                 return conn
-        except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
-            # Schema error, so try connecting without schema info
+        except (
+            LDAPSchemaError,
+            LDAPInsufficientAccessRightsResult,
+            LDAPAdminLimitExceededResult,
+            LDAPAttributeError,
+        ) as exc:
+            # Schema error or rate limit during schema fetch, retry without schema info
             # See https://github.com/goauthentik/authentik/issues/4590
             # See also https://github.com/goauthentik/authentik/issues/3399
+            # LDAPAdminLimitExceededResult: Google Secure LDAP rate-limits schema queries
+            # LDAPAttributeError: Google Secure LDAP returns unsupported attrs in schema
             if server_kwargs.get("get_info", ALL) == NONE:
                 LOGGER.warning("Failed to connect after schema downgrade", source=self, exc=exc)
                 raise exc