Seems to be the same issue as T126890: Cant login to gerrit / phabricator

I know upstream have updated oauth code to support signing in anywhere but I doint think they test it with oauth 1, they test with oauth 2.

We should see in the next update to phabricator we do to see if any of the changes fix it, if not it could be either mediawiki or phabricator.

Okay... Paladox, I have no idea how that's relevant to LDAP

@Krenair since oauth is what we use for ldap. Well that's what I think, but I could be wrong so sorry if I am wrong.

If I understand correctly, OAuth is what we use for SUL login, not LDAP.

Oh, sorry.

Done in https://github.com/wikimedia/phabricator-libphutil/blob/1390fd2e8fdde68504cd604297d23658153677d2/src/auth/PhutilLDAPAuthAdapter.php#L386

@mmodell I'm wondering if we remove this https://github.com/wikimedia/phabricator-libphutil/blob/1390fd2e8fdde68504cd604297d23658153677d2/src/auth/PhutilLDAPAuthAdapter.php#L383 part would it cause more problems or will it work.

Yes, we know what's causing this issue, it's the multiple accounts returned for this username:

krenair@tools-bastion-03:~$ ldapsearch -x cn=smccandlish | grep dn
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
dn: uid=mech,ou=people,dc=wikimedia,dc=org

@mmodell and @Krenair I'm not sure if D283 will fix the problem if not, then this is most likely an upstream task.

@Krenair should I add the upstream tag.

In T138672#2408614, @Paladox wrote:

Setting this as high priority since this keep recurring and may put of future editors and contributors if they keep getting error's related to not being able to log in.

I don't think it's occurring for most new users.

In T138672#2408616, @Paladox wrote:

@Krenair should I add the upstream tag.

No, because as I wrote in D283: The data in LDAP is broken.

By the way I still can't log in with LDAP...

Uhm, true, sorry! @Jarry1250: "General code to fix" vs "specific use case to fix" so I reopened and renamed T138653 for the latter.

This is still affecting me, too (for a couple of years now). The workaround would probably be to delete the "mech" username associated with this ID, and just keep the SMcCandlish one.

@SMcCandlish This is not something that is under the control of phabricator so you'll need to get someone with LDAP admin rights to do it.

I'm really not sure how multiple usernames get associated in ldap in the first place.

Can you provide any pointers on how to go about that? I've been trying to resolve this for ages. It's not even multiple user IDs in the "SMcCandlish" or "mmodell" sense, but rather two e-mail addresses which can also be used (in theory) to login with – if I understand correctly. I think it took the "mech" part from one of my e-mail addresses, as I don't recall trying to establish that as an actual user ID on here.

@SMcCandlish sorry for the delay in responding, I'm trying to catch up here. Is the 'mech' account also you, or is that some other user? (I don't mind destroying an old account as long as we know whose account we're destroying :) )

Yes, mech is me as well. I don't use that ID on any WMF sites any longer.

Update: I can login to Phabricator by one but not both of the available methods. I can login to Wikitech, but I cannot login to Gerrit, despite the fact that https://wikitech.wikimedia.org/wiki/Gerrit says that our Wikitech login ID/PW automatically become those for Gerrit. These issues (for me, and I think for a few others) seem to date back to the timespan when the Toolserver was being retired in favor of Phabricator, and the SUL system was being deployed. In my case, I already has pre-existing accounts on various WMF sites, but not all that many, when I created my SUL account. Not sure if that relates. As far as I know, I used "SMcCandlish" on all of them (and definitely did at Wikitech and Gerrit), except I created also a "mech" account at Phabricator, out of habit of using that old-time monicker of mine on some other coding-related sites. I now also have and am using SMcCandlish at Phabricator.

I don't know if there's any relationship between my two-Phab-accounts problem (and I reconfirm that the "mech" one can just be deleted), and my Wikitech-login-fails-at-Gerrit problem. I do know a fair amount about LDAP and such, but I have no idea how things are setup on the WMF side.

I doubt that there's any interaction between the two accounts (mech vs. smccandlish) and there's definitely no interaction between the wikitech account and the SUL account.

So that leaves us with the mystery of why it works on wikitech and not on gerrit. My first guess (which you may have tried already) is that one is case-sensitive and the other is not. Here's what your ldap record looks like:

374 uid=smccandlish,ou=people,dc=wikimedia,dc=org
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: ldapPublicKey
objectClass: shadowaccount
objectClass: posixaccount
objectClass: top
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ+uP5tLI71MkoDuoBggzvgUNaBWphzWnviWKgYYzeBuEI7aImq4aG1s0zkxbuZ8AxA+OYxpAAYOfNDSrl0Ps/JamTLp6+o3bfe7hJPJaoNHN5CdXgyqcpbduFmpQN6BqLsMI0PQJdkHa7Tlrl1Ot4xWChwN5vFmSWXtbSWV1NpKoj4Y82PrLMB/ZEMj9YYcIG2cGjIlNfZlZ5VFykj8vtbijAIKuwekN/UBDeXGRidbcnLjzo4xn5lVKMUfreFY65JwKUz0tHKCucp8jBr6Q1mae/90PlKYUqoTmi5Qz6KrM0rtGn173ybeC6gl9JRgZcrin9QVe3nivLZvCfvLbD mech@MacPro.local
uid: smccandlish
loginShell: /bin/bash
preferredLanguage: en
givenName: smccandlish
cn: smccandlish
sn: smccandlish
homeDirectory: /home/smccandlish
uidNumber: 2101
gidNumber: 500
displayName:; — <font face="Trebuchet MS">'''[[User:SMcCandlish|SMcCandlish]]''' &nbsp;<span style="white-space:nowrap;">[[User talk:SMcCandlish|Talk⇒]] ɖ<sup><big>⊝</big></sup>כ<sup>⊙</sup>þ </span> <small>[[Special:Contributions/SMcCandlish|Contrib.]]</small></font>
mail: smccandlish@gmail.com

In all the cases that matter, the name is registered as all-lowercase 'smccandlish'. So can you double-check that you see the same behavior with an all-lowercase username?

Tried that, and it's not working. I'm logged into wikitech as SMcCandlish and login attempts at Gerrit as smccandlish (or SMcCandlish, either way) do not work with the same password (or any other I can think of).

Gerrit says it cannot find your user when doing owner:SMcCandlish but what is strange is your account should be created if it does not exist.

Hi all. I saw this ticket and checked Gerrit error logs for "candlish" and i found this which hopefully helps us to track it down further:

error_log:[2018-06-11 03:56:48,909] [HTTP-4283] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish
error_log:[2018-06-11 03:57:30,507] [HTTP-4285] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish
error_log:[2018-06-11 04:01:26,692] [HTTP-4281] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish

I've asked upstream here https://groups.google.com/forum/#!topic/repo-discuss/7fJ3TKpUvvA how to fix duplicated users under notedb as it is not the same steps as before.

Still looks like an LDAP issue as in T138672#4259771

If it comes down to it, I'm okay with nuking SMcCandlish, smccandlish, and mech on all three systems, so I can create a new, "clean" SMcCandlish on them (provides there's no mech on either of the other two that isn't me; I'm pretty sure the only WMF site I ever used that on, by accident, was Phab). However, I do use SUL's single account across most WMF servers, as SMcCandlish, and I don't know if that complicates things.

This might be the Gerrit duplicate user issue: T197083

When searching for that user it couldn’t find them at least in the search bar.

In T138672#2408607, @Krenair wrote:

Yes, we know what's causing this issue, it's the multiple accounts returned for this username:

krenair@tools-bastion-03:~$ ldapsearch -x cn=smccandlish | grep dn
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
dn: uid=mech,ou=people,dc=wikimedia,dc=org

Could this be why it fails in gerrit? As it's returning mutiple matches.

I can't find a smccandlish or mech user in gerrit. Is there another name I should be looking for?

I think it's still an LDAP issue just like earlier in this ticket and nothing changed. The only connection to gerrit is that i saw the errors in the log which come from "com.google.gerrit.httpd.auth.ldap.LdapLoginServlet".

Re: "I can't find a smccandlish or mech user in gerrit. Is there another name I should be looking for?"

I guess there could be mixed-case SMcCandlish, or it could have used part of my wiki-related e-mail address: smccandlish+wiki.

Removed T197083: Gerrit has created duplicate accounts for some users as parent. This task is similar, but we think it has different root cause.

The whole summary is:

Gerrit uses the LDAP cn fields for the account:

[ldap]
    # Search LDAP using cn
    accountPattern = (&(objectClass=person)(cn=${username})(!(pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org)))

    # We use the cn for the user full name which is what is displayed in the interface
    accountFullName = cn

    # The login is converted to lower case
    localUsernameToLowerCase = true

We do the conversion to lower case due to T152640. So one can login in Gerrit with either smccandlish or Smccandlish or SMcCandlish, it does not matter that is converted to lower case.

And as pointed above ( T138672#2408607 ) there are two accounts matching:

$ ldapsearch -x -LL 'cn=smccandlish' cn uid
version: 1

dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
uid: smccandlish
cn: smccandlish

dn: uid=mech,ou=people,dc=wikimedia,dc=org
uid: mech
cn: Smccandlish

Cause I guess our LDAP is case insensitive as well?

Anyway Gerrit explicitly reject duplicates:

    LdapQuery.Result findAccount(
...
      for (LdapQuery accountQuery : accountQueryList) {
        List<LdapQuery.Result> res = accountQuery.query(ctx, params);
        if (res.size() == 1) {
          return res.get(0);
        } else if (res.size() > 1) {
          throw new AccountException("Duplicate users: " + username);  // <-------------- here
        }
      }

Since Gerrit filters out users that have pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org, I guess we can disable the second account:

dn: uid=mech,ou=people,dc=wikimedia,dc=org
uid: mech
cn: Smccandlish
uidNumber: 2758

And that would make it work.

In T138672#6806956, @hashar wrote:

And as pointed above ( T138672#2408607 ) there are two accounts matching:

$ ldapsearch -x -LL 'cn=smccandlish' cn uid
version: 1

dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
uid: smccandlish
cn: smccandlish

dn: uid=mech,ou=people,dc=wikimedia,dc=org
uid: mech
cn: Smccandlish

Cause I guess our LDAP is case insensitive as well?

Yes, most LDAP lookups are case-insensitive by default. Case-sensitive lookups can be done by adding :caseExactMatch: into the selector:

$ ldap cn:caseExactMatch:=smccandlish cn
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
cn: smccandlish

$ ldap cn:caseExactMatch:=Smccandlish cn
dn: uid=mech,ou=people,dc=wikimedia,dc=org
cn: Smccandlish

Since Gerrit filters out users that have pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org, I guess we can disable the second account:

dn: uid=mech,ou=people,dc=wikimedia,dc=org
uid: mech
cn: Smccandlish
uidNumber: 2758

The "second account" (uid=mech) is the one that is actually attached to Wikitech as https://wikitech.wikimedia.org/wiki/User:Smccandlish. The uid=smccandlish account is not attached on Wikitech, and thus the one that we should get rid of somehow.

Thank you @bd808 and extra kudos for keeping the proper account.

@SMcCandlish that should work. I am not sure why it never got noticed before, but I guess better late than never!