I attempted to create an account on Wikitech wiki today. It failed on each of 5 attempts, each time giving the error "The authentication plugin denied the account creation." I ensured that my shell username was valid (all lowercase). On each try I had to retype my password so if that were the issue I would have got it right on one of the tries. Moreover no accounts have been created on the wiki since 13 July.
I suppose that it's a problem from the security that was added for T168142: Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse.
@Aklapper I can't find the related patch, the one that block account creation on wikitech for WP zero users. I dreamed ?
Account creation works on https://labtestwikitech.wikimedia.org/ which is running the same MediaWiki version, so this almost has to be config related.
While testing for account creation via https://toolsadmin.wikimedia.org/ I think I spotted the problem:
2017-07-16T22:58:06Z [4f11bef8c819458c96134434cc142874] striker.labsauth.utils WARNING: Id range limit exceded for uid_number. Soft limit 49999; next 53438 2017-07-16T22:58:07Z [4f11bef8c819458c96134434cc142874] striker.labsauth.utils WARNING: Id range limit exceded for uid_number. Soft limit 49999; next 53438
We have an LDAP id that is throwing things off. Actually there are two that are above the expected limits: 53436 and 53437. These are both in the range that we we use for tool accounts in Toolforge rather than the range that we use for normal shell users. I caused this problem when working on T158968: 'prometheus' service user vs. actual human account 'prometheus'. The fix needed is to put these uidNumbers back into the proper range and possibly to clear memcached counter values on wikitech.
Fixed the numeric uid values that were placed in the wrong range:
dn: uid=jberkley,ou=people,dc=wikimedia,dc=org changetype: modify replace: uidNumber uidNumber: 17517 dn: uid=stjn,ou=people,dc=wikimedia,dc=org changetype: modify replace: uidNumber uidNumber: 17518