Enforcing access tokens with LDAP Credentials


Got a GitLab omnibus install running with LDAP users. Users are authenticated via SAML which performs 2FA outside of GitLab.

I’d like to enforce the use of access tokens for Git over HTTPS without permitting the user to use their LDAP Credentials - the option I see in settings is only

Password authentication enabled for Git over HTTP(S)
When disabled, a Personal Access Token or LDAP password must be used to authenticate.

How do I require PAT to be used without LDAP credentials?