Page MenuHomePhabricator

Cannot create account on Wikitech wiki
Closed, ResolvedPublic

Description

I attempted to create an account on Wikitech wiki today. It failed on each of 5 attempts, each time giving the error "The authentication plugin denied the account creation." I ensured that my shell username was valid (all lowercase). On each try I had to retype my password so if that were the issue I would have got it right on one of the tries. Moreover no accounts have been created on the wiki since 13 July.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 16 2017, 7:59 PM

I suppose that it's a problem from the security that was added for T168142: Cleanup phabricator.wikimedia.org uploaded files, WP zero abuse.
@Aklapper I can't find the related patch, the one that block account creation on wikitech for WP zero users. I dreamed ?

Framawiki triaged this task as High priority.Jul 16 2017, 10:37 PM

I've the same error The authentication plugin denied the account creation. if I try to create a new account. I'm not in a WP zero IP range.
So the registration on Wikitech is broken.

bd808 added a subscriber: bd808.

Nothing is logged at normal logging levels when the account creation is denied. I can create new accounts from mediawiki.org so this seems to be isolated to wikitech.

bd808 claimed this task.Jul 16 2017, 11:06 PM
bd808 edited projects, added LDAP; removed MediaWiki-Authentication-and-authorization.

Account creation works on https://labtestwikitech.wikimedia.org/ which is running the same MediaWiki version, so this almost has to be config related.

While testing for account creation via https://toolsadmin.wikimedia.org/ I think I spotted the problem:

2017-07-16T22:58:06Z [4f11bef8c819458c96134434cc142874] striker.labsauth.utils WARNING: Id range limit exceded for uid_number. Soft limit 49999; next 53438
2017-07-16T22:58:07Z [4f11bef8c819458c96134434cc142874] striker.labsauth.utils WARNING: Id range limit exceded for uid_number. Soft limit 49999; next 53438

We have an LDAP id that is throwing things off. Actually there are two that are above the expected limits: 53436 and 53437. These are both in the range that we we use for tool accounts in Toolforge rather than the range that we use for normal shell users. I caused this problem when working on T158968: 'prometheus' service user vs. actual human account 'prometheus'. The fix needed is to put these uidNumbers back into the proper range and possibly to clear memcached counter values on wikitech.

Restricted Application added a project: User-bd808. · View Herald TranscriptJul 16 2017, 11:06 PM
bd808 added a comment.Jul 17 2017, 3:29 PM

Fixed the numeric uid values that were placed in the wrong range:

T170774-fix-uid.ldif
dn: uid=jberkley,ou=people,dc=wikimedia,dc=org
changetype: modify
replace: uidNumber
uidNumber: 17517

dn: uid=stjn,ou=people,dc=wikimedia,dc=org
changetype: modify
replace: uidNumber
uidNumber: 17518

Indeed, thank you!