Well I’d tried debug, but didn’t know how to narrow it down after that … so thanks for the additional pointer.
The relevant log message was
User <User('id:2:admin')> is bound to rhodecode auth type. Plugin allows only [u’headers’], skipping | req_id:a6b18efb-7a82-4004-aba1-fd3fe46dbd0b
Which is a little mystifying but it lead me to check the User settings, and from that I realized that Headers had become available in the Authentication Type. So changing that from Ldap to Headers enabled things to start working. So I guess you bind a user to a particular type of authentication - I wasn’t expecting that. I had presumed Headers would be an additional type of authentication, rather than being “either-or”. I’ll have to wrap my head around the ramifications of that.
So I’m good now. But I think my original comment about the the Headers config is still valid (The default Headers config within RC seems self-inconsistent / wrong). To that I would also add that given I’d disallowed anonymous access, I think allowing a null user access would seem to be asking for trouble!
Thanks for the help