Page MenuHomePhabricator
Create Task
Maniphest T151487

LDAPAuthentication does not work with 1.27.1 for users that haven't logged in before
Open, LowestPublic
Actions

Description

Hi,
We upgraded to MediaWiki 1.27.1 yesterday. We are using LDAPAuthentication. It works for users that already had an account in MediaWiki (i.e. those who had logged in before). However, new LDAP users can't log in. The logs show that LDAP authentication works, but I believe the local mediawiki account creation does not work.

Here is our LDAP configuration:

# LDAP authentication
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
#$wgAuth = new LdapAuthenticationPlugin();
$wgAuthManagerAutoConfig['primaryauth'] += [
        LdapPrimaryAuthenticationProvider::class => [
                'class' => LdapPrimaryAuthenticationProvider::class,
                'args' => [ [
                        'authoritative' => true, // don't allow local non-LDAP accounts
                ] ],
                'sort' => 50, // must be smaller than local pw provider
        ],
];

$wgLDAPDomainNames = array( "computecanada");
$wgLDAPServerNames = array( "computecanada" => <SERVER-HOST-REMOVED>);
$wgLDAPEncryptionType = array("computecanada" => "ssl");
$wgLDAPUseLocal = true;
$wgLDAPBaseDNs = array( "computecanada" => "dc=computecanada,dc=ca" );
$wgLDAPSearchAttributes = array("computecanada" => "uid" );
$wgLDAPAuthAttribute = array("computecanada" => "objectclass=ccPerson");

# Using LDAP groups
$wgLDAPUseLDAPGroups = array( "computecanada"=>true );
$wgLDAPGroupObjectclass = array("computecanada"=>"posixGroup");
$wgLDAPGroupAttribute = array("computecanada"=>"memberUid");
$wgLDAPGroupNameAttribute = array("computecanada"=>"cn");

# Getting LDAP preferences
$wgLDAPPreferences = array( "computecanada"=>array( "email"=>"ccPrimaryEmail","realname"=>"cn","nickname"=>"cn","language"=>"preferredLanguage") );

We initially tried with

$wgLDAPUseLocal = false;

The user was getting an error "Auto-creation of a local account failed:
Automatic account creation is not allowed."

With

$wgLDAPUseLocal = true;

which was our former setting, the user now got the error message "There are problems with some of your input."

We are running https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_27-b0dba33.tar.gz

Event Timeline

Mboisson created this task.Nov 23 2016, 9:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 23 2016, 9:21 PM
Mboisson updated the task description. (Show Details)Nov 23 2016, 9:23 PM
Peachey88 added a project: MediaWiki-extensions-LdapAuthentication.Nov 24 2016, 10:49 AM
Mboisson added a comment.Nov 24 2016, 2:07 PM
This comment was removed by Mboisson.
Mboisson added a comment.Nov 24 2016, 5:15 PM

Been trying to debug this one. We found out that if we add

$wgGroupPermissions['*']['autocreateaccount'] = true;

then it works for somebody who has never tried before. However, for somebody who has, and for which it has failed, it still fails.
The logs show

[authentication] Auto-creating Mboisson on login
[queries] ccwiki: SELECT /* User::idFromName 132.203.106.215 */  user_id  FROM `user`   WHERE user_name = 'Mboisson'  LIMIT 1
[authentication] MediaWiki\Auth\AuthManager::autoCreateUser: blacklisted in session p5p6efugdqasbvco026vp7f4jp176v59
[session] SessionBackend "p5p6efugdqasbvco026vp7f4jp176v59" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->beginAuthentication/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "p5p6efugdqasbvco026vp7f4jp176v59" save: dataDirty=1 metaDirty=0 forcePersist=0

Which goes to this piece of code

// Check the session, if we tried to create this user already there's
// no point in retrying.
$session = $this->request->getSession();
if ( $session->get( 'AuthManager::AutoCreateBlacklist' ) ) {
        $this->logger->debug( __METHOD__ . ': blacklisted in session {sessionid}', [
                'username' => $username,
                'sessionid' => $session->getId(),
        ] );
        $user->setId( 0 );
        $user->loadFromId();
        $reason = $session->get( 'AuthManager::AutoCreateBlacklist' );
        if ( $reason instanceof StatusValue ) {
                return Status::wrap( $reason );
        } else {
                return Status::newFatal( $reason );
        }
}

in ./includes/auth/AuthManager.php

Now, you would think that opening a browser in private mode might work, but for some people we tried with, it did not.
How do we get Mediawiki to forget about all of these sessions ?

Aklapper removed a subscriber: MediaWiki-extensions-LdapAuthentication.Mar 22 2020, 9:47 PM
Aklapper triaged this task as Lowest priority.Jan 6 2022, 5:48 PM

Setting lowest priority as this extension is unmaintained and superseded by MediaWiki-extensions-LDAPAuthentication2

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL