Page MenuHomePhabricator

username case mismatch in keystone totp plugin
Open, NormalPublic

Description

I've seen this for exactly one user. When coren tries to log in, keystone throws an exception:

Traceback (most recent call last):

File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 239, in __call__
  result = method(context, **params)
File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 377, in authenticate_for_token
  self.authenticate(context, auth_info, auth_context)
File "/usr/lib/python2.7/dist-packages/keystone/auth/controllers.py", line 502, in authenticate
  auth_context)
File "/usr/lib/python2.7/dist-packages/keystone/auth/plugins/wmtotp.py", line 91, in authenticate
  secret = cur.fetchone()[0]

TypeError: 'NoneType' object has no attribute 'getitem'

From adding some debug lines, it looks like it is selecting for username 'coren' (no hits) rather than for user 'Coren' (which gets the one expected hit.)

Can we make that mysql selection case-insensitive, or otherwise figure out why it's playing fast-and-loose with the initial capital letter?

Event Timeline

Andrew created this task.Apr 12 2016, 3:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 12 2016, 3:23 PM
coren added a subscriber: coren.Apr 12 2016, 3:25 PM

That's pretty odd. The name comes from LDAP-- we do the initial lookup there when we bind with the admin user initially, then use the LDAP username in the DB query.

So possibly there's a differing in case between MediaWiki and LDAP for Coren?

From ldap:

dn: uid=marc,ou=people,dc=wikimedia,dc=org
displayName: Marc A. Pelletier
uid: marc
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: ldappublickey
objectClass: novauser
objectClass: shadowaccount
objectClass: posixaccount
objectClass: top
loginShell: /bin/bash
uidNumber: 2138
gidNumber: 500
sn: coren
homeDirectory: /home/marc
mail: marc@uberbox.org
isNovaAdmin: FALSE
cn: coren

from mysql/silver:

+---------+-----------+-------------------------+

user_iduser_nameuser_real_name

+---------+-----------+-------------------------+

82CorenMarc-André Pelletier

+---------+-----------+-------------------------+

For comparison, I look like this:

dn: uid=andrew,ou=people,dc=wikimedia,dc=org
uid: andrew
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: ldapPublicKey
objectClass: novauser
objectClass: shadowaccount
objectClass: posixaccount
objectClass: top
loginShell: /bin/bash
uidNumber: 2093
gidNumber: 500
sn: andrew
homeDirectory: /home/andrew
mail: andrewbogott@gmail.com
givenName: andrew
isNovaAdmin: FALSE
cn: Andrew Bogott

+---------+---------------+----------------+

user_iduser_nameuser_real_name

+---------+---------------+----------------+

33Andrew BogottAndrew Bogott

+---------+---------------+----------------+

@coren was your LDAP account imported from SVN?

@Krenair I believe it was, yes.

Did you ever commit using SVN? I couldn't find you in mediawikiwiki.code_authors

chasemp triaged this task as Normal priority.May 31 2016, 3:27 PM

It's possible that this was an incidence of https://phabricator.wikimedia.org/T131630 -- coren, care to try again?

@coren: Is this still an issue (as per last comment)?

Aklapper removed csteipp as the assignee of this task.Dec 9 2017, 1:47 PM
Aklapper added a subscriber: csteipp.

No reply by @coren - should we close this task as an incidence of resolved T131630?