Page MenuHomePhabricator

Having difficulty logging into Phabricator via LDAP when multiple accounts returned for username (gerrit: Duplicate users: smccandlish)
Open, MediumPublic

Event Timeline

Krenair created this task.Jun 25 2016, 4:26 PM
Restricted Application added subscribers: Zppix, TerraCodes, Aklapper. · View Herald TranscriptJun 25 2016, 4:26 PM
Paladox added a subscriber: Paladox.EditedJun 25 2016, 4:30 PM

I know upstream have updated oauth code to support signing in anywhere but I doint think they test it with oauth 1, they test with oauth 2.

We should see in the next update to phabricator we do to see if any of the changes fix it, if not it could be either mediawiki or phabricator.

Okay... Paladox, I have no idea how that's relevant to LDAP

@Krenair since oauth is what we use for ldap. Well that's what I think, but I could be wrong so sorry if I am wrong.

If I understand correctly, OAuth is what we use for SUL login, not LDAP.

Yes, we know what's causing this issue, it's the multiple accounts returned for this username:

krenair@tools-bastion-03:~$ ldapsearch -x cn=smccandlish | grep dn
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
dn: uid=mech,ou=people,dc=wikimedia,dc=org

@mmodell and @Krenair I'm not sure if D283 will fix the problem if not, then this is most likely an upstream task.

Paladox triaged this task as High priority.Jun 26 2016, 9:42 PM

Setting this as high priority since this keep recurring and may put of future editors and contributors if they keep getting error's related to not being able to log in.

Setting this as high priority since this keep recurring and may put of future editors and contributors if they keep getting error's related to not being able to log in.

I don't think it's occurring for most new users.

@Krenair should I add the upstream tag.

No, because as I wrote in D283: The data in LDAP is broken.

Aklapper renamed this task from Another user is having difficulty logging into Phabricator via LDAP to Having difficulty logging into Phabricator via LDAP when multiple accounts returned for username.Jun 28 2016, 11:30 PM
Aklapper lowered the priority of this task from High to Medium.

By the way I still can't log in with LDAP...

Uhm, true, sorry! @Jarry1250: "General code to fix" vs "specific use case to fix" so I reopened and renamed T138653 for the latter.

This is still affecting me, too (for a couple of years now). The workaround would probably be to delete the "mech" username associated with this ID, and just keep the SMcCandlish one.

@SMcCandlish This is not something that is under the control of phabricator so you'll need to get someone with LDAP admin rights to do it.

I'm really not sure how multiple usernames get associated in ldap in the first place.

SMcCandlish added a comment.EditedSep 23 2017, 5:06 PM

Can you provide any pointers on how to go about that? I've been trying to resolve this for ages. It's not even multiple user IDs in the "SMcCandlish" or "mmodell" sense, but rather two e-mail addresses which can also be used (in theory) to login with – if I understand correctly. I think it took the "mech" part from one of my e-mail addresses, as I don't recall trying to establish that as an actual user ID on here.

@SMcCandlish sorry for the delay in responding, I'm trying to catch up here. Is the 'mech' account also you, or is that some other user? (I don't mind destroying an old account as long as we know whose account we're destroying :) )

Yes, mech is me as well. I don't use that ID on any WMF sites any longer.

Update: I can login to Phabricator by one but not both of the available methods. I can login to Wikitech, but I cannot login to Gerrit, despite the fact that https://wikitech.wikimedia.org/wiki/Gerrit says that our Wikitech login ID/PW automatically become those for Gerrit. These issues (for me, and I think for a few others) seem to date back to the timespan when the Toolserver was being retired in favor of Phabricator, and the SUL system was being deployed. In my case, I already has pre-existing accounts on various WMF sites, but not all that many, when I created my SUL account. Not sure if that relates. As far as I know, I used "SMcCandlish" on all of them (and definitely did at Wikitech and Gerrit), except I created also a "mech" account at Phabricator, out of habit of using that old-time monicker of mine on some other coding-related sites. I now also have and am using SMcCandlish at Phabricator.

I don't know if there's any relationship between my two-Phab-accounts problem (and I reconfirm that the "mech" one can just be deleted), and my Wikitech-login-fails-at-Gerrit problem. I do know a fair amount about LDAP and such, but I have no idea how things are setup on the WMF side.

Quiddity assigned this task to Andrew.Jun 5 2018, 9:18 PM
Quiddity added a subscriber: Quiddity.
Andrew added a comment.EditedJun 6 2018, 2:23 AM

I doubt that there's any interaction between the two accounts (mech vs. smccandlish) and there's definitely no interaction between the wikitech account and the SUL account.

So that leaves us with the mystery of why it works on wikitech and not on gerrit. My first guess (which you may have tried already) is that one is case-sensitive and the other is not. Here's what your ldap record looks like:

374 uid=smccandlish,ou=people,dc=wikimedia,dc=org
objectClass: person
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: ldapPublicKey
objectClass: shadowaccount
objectClass: posixaccount
objectClass: top
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDQ+uP5tLI71MkoDuoBggzvgUNaBWphzWnviWKgYYzeBuEI7aImq4aG1s0zkxbuZ8AxA+OYxpAAYOfNDSrl0Ps/JamTLp6+o3bfe7hJPJaoNHN5CdXgyqcpbduFmpQN6BqLsMI0PQJdkHa7Tlrl1Ot4xWChwN5vFmSWXtbSWV1NpKoj4Y82PrLMB/ZEMj9YYcIG2cGjIlNfZlZ5VFykj8vtbijAIKuwekN/UBDeXGRidbcnLjzo4xn5lVKMUfreFY65JwKUz0tHKCucp8jBr6Q1mae/90PlKYUqoTmi5Qz6KrM0rtGn173ybeC6gl9JRgZcrin9QVe3nivLZvCfvLbD mech@MacPro.local
uid: smccandlish
loginShell: /bin/bash
preferredLanguage: en
givenName: smccandlish
cn: smccandlish
sn: smccandlish
homeDirectory: /home/smccandlish
uidNumber: 2101
gidNumber: 500
displayName:; — <font face="Trebuchet MS">'''[[User:SMcCandlish|SMcCandlish]]''' &nbsp;<span style="white-space:nowrap;">[[User talk:SMcCandlish|Talk⇒]] ɖ<sup><big>⊝</big></sup>כ<sup>⊙</sup>þ </span> <small>[[Special:Contributions/SMcCandlish|Contrib.]]</small></font>
mail: smccandlish@gmail.com

In all the cases that matter, the name is registered as all-lowercase 'smccandlish'. So can you double-check that you see the same behavior with an all-lowercase username?

Tried that, and it's not working. I'm logged into wikitech as SMcCandlish and login attempts at Gerrit as smccandlish (or SMcCandlish, either way) do not work with the same password (or any other I can think of).

Gerrit says it cannot find your user when doing owner:SMcCandlish but what is strange is your account should be created if it does not exist.

Dzahn added a subscriber: Dzahn.Jun 11 2018, 11:02 AM

Hi all. I saw this ticket and checked Gerrit error logs for "candlish" and i found this which hopefully helps us to track it down further:

error_log:[2018-06-11 03:56:48,909] [HTTP-4283] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish
error_log:[2018-06-11 03:57:30,507] [HTTP-4285] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish
error_log:[2018-06-11 04:01:26,692] [HTTP-4281] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'smccandlish' failed to sign in
error_log:com.google.gerrit.server.account.AccountException: Duplicate users: smccandlish
Dzahn renamed this task from Having difficulty logging into Phabricator via LDAP when multiple accounts returned for username to Having difficulty logging into Phabricator via LDAP when multiple accounts returned for username (gerrit: Duplicate users: smccandlish).Jun 11 2018, 11:03 AM
Dzahn added a project: Gerrit.

I've asked upstream here https://groups.google.com/forum/#!topic/repo-discuss/7fJ3TKpUvvA how to fix duplicated users under notedb as it is not the same steps as before.

Andrew removed Andrew as the assignee of this task.Jun 11 2018, 2:01 PM

This is looking like it's outside my area of influence so I'm unassigning myself.

Dzahn added a comment.Jun 11 2018, 3:39 PM

Still looks like an LDAP issue as in T138672#4259771

If it comes down to it, I'm okay with nuking SMcCandlish, smccandlish, and mech on all three systems, so I can create a new, "clean" SMcCandlish on them (provides there's no mech on either of the other two that isn't me; I'm pretty sure the only WMF site I ever used that on, by accident, was Phab). However, I do use SUL's single account across most WMF servers, as SMcCandlish, and I don't know if that complicates things.

When searching for that user it couldn’t find them at least in the search bar.

Yes, we know what's causing this issue, it's the multiple accounts returned for this username:

krenair@tools-bastion-03:~$ ldapsearch -x cn=smccandlish | grep dn
dn: uid=smccandlish,ou=people,dc=wikimedia,dc=org
dn: uid=mech,ou=people,dc=wikimedia,dc=org

Could this be why it fails in gerrit? As it's returning mutiple matches.

I can't find a smccandlish or mech user in gerrit. Is there another name I should be looking for?

Dzahn added a comment.Jun 14 2018, 5:54 PM

I think it's still an LDAP issue just like earlier in this ticket and nothing changed. The only connection to gerrit is that i saw the errors in the log which come from "com.google.gerrit.httpd.auth.ldap.LdapLoginServlet".

SMcCandlish added a comment.EditedJun 15 2018, 2:56 AM

Re: "I can't find a smccandlish or mech user in gerrit. Is there another name I should be looking for?"

I guess there could be mixed-case SMcCandlish, or it could have used part of my wiki-related e-mail address: smccandlish+wiki.

thcipriani added a subscriber: thcipriani.

Removed T197083: Gerrit has created duplicate accounts for some users as parent. This task is similar, but we think it has different root cause.