diff --git a/lib/api/session.rb b/lib/api/session.rb
index 509acded51e..cc646895914 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -3,18 +3,19 @@ module API
   class Session < Grape::API
     # Login to get token
     #
+    # Parameters:
+    #   login (*required) - user login
+    #   email (*required) - user email
+    #   password (required) - user password
+    #
     # Example Request:
     #  POST /session
     post "/session" do
-      resource = User.find_for_database_authentication(email: params[:email])
+      auth = Gitlab::Auth.new
+      user = auth.find(params[:email] || params[:login], params[:password])
 
-      return unauthorized! unless resource
-
-      if resource.valid_password?(params[:password])
-        present resource, with: Entities::UserLogin
-      else
-        unauthorized!
-      end
+      return unauthorized! unless user
+      present user, with: Entities::UserLogin
     end
   end
 end
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index beb4fcf0570..de70c5ce780 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -1,5 +1,18 @@
 module Gitlab
   class Auth
+    def find(login, password)
+      user = User.find_by_email(login) || User.find_by_username(login)
+
+      if user.nil? || user.ldap_user?
+        # Second chance - try LDAP authentication
+        return nil unless ldap_conf.enabled
+
+        ldap_auth(login, password)
+      else
+        user if user.valid_password?(password)
+      end
+    end
+
     def find_for_ldap_auth(auth, signed_in_resource = nil)
       uid = auth.info.uid
       provider = auth.provider
diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index e7217c7c7e6..a4f98ecd350 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -64,19 +64,8 @@ module Grack
     end
 
     def authenticate_user(login, password)
-      user = User.find_by_email(login) || User.find_by_username(login)
-
-      # If the provided login was not a known email or username
-      # then user is nil
-      if user.nil? || user.ldap_user?
-        # Second chance - try LDAP authentication
-        return nil unless ldap_conf.enabled
-
-        auth = Gitlab::Auth.new
-        auth.ldap_auth(login, password)
-      else
-        return user if user.valid_password?(password)
-      end
+      auth = Gitlab::Auth.new
+      auth.find(login, password)
     end
 
     def authorize_request(service)