Page MenuHomePhabricator

LDAP account that is not attached on wikitech has no means for password reset
Open, NormalPublic

Description

The user @Vacio has an LDAP account that was created 2017-07-30T14:12:02Z using Striker (https://toolsadmin.wikimedia.org/). The user is now trying to login to Striker and wikitech.wikimedia.org, but has forgotten their password. Wikitech has https://wikitech.wikimedia.org/wiki/Special:PasswordReset, but that method of password recovery will only work once an LDAP account has been attached to the local MediaWiki database. Unfortunately Striker does not automatically attach accounts to wikitech, so this LDAP account is currently unattached.


  • Figure out how to attach this LDAP account to Wikitech so that @Vacio can reset their password
  • Add password reset to Striker
  • See if there is a good way to attach new LDAP accounts to Wikitech when they are created using Striker

Event Timeline

Vacio created this task.Aug 29 2017, 5:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2017, 5:52 PM

@Vacio Could you please elaborate on what the problem is? Did you try signing up to wikitech and did you run into an error? If so what? You can create a wikitech account at https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount

bd808 added a subscriber: bd808.

@Vacio Wikitech uses a separate user database from the normal Wikimedia wikis. You will need to create a new account for use on wikitech. You can do this in either of two ways:

Both methods will create an LDAP account for you that can be used to login to wikitech, Gerrit, toolsadmin, and other Wikimedia websites that use LDAP authentication.

Vacio closed this task as Resolved.EditedAug 29 2017, 6:14 PM

Okay sorry, for not being clear enough.

If I try to create an account with my Wikimedia accout name (Vacio) I get the message that the username is already in use. When I try to login with the same username, I am told that it doesn't exist.

How can I fix this?

Edit: If this is the wrong place to solve this issue, please excuse me and close this ticket. (Sorry, I am new here and a bit confused).

Vacio reopened this task as Open.Aug 29 2017, 6:15 PM

@Vacio You are in the right place! If you can hop on to the #wikimedia-cloud IRC channel sometime, we can help you figure this out easier real time :)

Vacio added a comment.Aug 29 2017, 6:33 PM

I will right now, thanks a lot (:

Vacio closed this task as Resolved.Aug 29 2017, 6:33 PM
bd808 reopened this task as Open.Aug 29 2017, 7:01 PM
bd808 renamed this task from Register to Wikitech to LDAP account that is not attached on wikitech has no means for password reset.Aug 29 2017, 7:11 PM
bd808 triaged this task as High priority.
bd808 updated the task description. (Show Details)
Framawiki removed Vacio as the assignee of this task.Aug 29 2017, 7:12 PM
Framawiki added a subscriber: Framawiki.
bd808 added a comment.Aug 29 2017, 7:16 PM

Task description has been updated to reflect debugging done over irc.

We need to:

  • Figure out how to attach this LDAP account to Wikitech so that @Vacio can reset their password
  • Add password reset to Striker
  • See if there is a good way to attach new LDAP accounts to Wikitech when they are created using Striker
Restricted Application added a project: User-bd808. · View Herald TranscriptAug 29 2017, 10:33 PM
bd808 added a comment.Sep 7 2017, 8:23 PM

@Vacio, your LDAP account has been attached on Wikitech, so you should now be able to go to https://wikitech.wikimedia.org/wiki/Special:PasswordReset and request a password reset.


For posterity, here's how to attach an LDAP account to Wikitech so that the database and logs look right:

$new_user = 'cn from the LDAP record';
$new_email = 'mail from the LDAP record';

$l = LdapAuthenticationPlugin::getInstance();
$l->LDAPUsername = $new_user;
$l->email = $new_email;
$l->setDomain( $l->getDomain() );
$_SESSION['wsDomain'] = $l->getDomain();
$u = User::newFromName( $l->LDAPUsername, 'creatable' );
$u->addToDatabase();
$u->saveSettings();
$l->initUser( $u, true );
$u->addWatch( $u->getUserPage(), User::IGNORE_USER_RIGHTS );
$le = new ManualLogEntry( 'newusers', 'create' );
$le->setPerformer( $u );
$le->setTarget( $u->getUserPage() );
$le->setComment( '' );
$le->setParameters( [ '4::userid' => $u->getId() ] );
$le->publish( $le->insert() );

These commands can be pasted into a mwscript eval.php --wiki=labswiki session started from silver.

bd808 removed bd808 as the assignee of this task.Sep 7 2017, 8:32 PM
bd808 lowered the priority of this task from High to Normal.
bd808 edited projects, added Striker; removed User-bd808, cloud-services-team (Kanban).
bd808 updated the task description. (Show Details)

Task description updated to show remaining tasks.

Tgr added a subscriber: Tgr.Sep 7 2017, 8:50 PM
Tgr added a comment.Sep 8 2017, 10:06 PM
\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser( User::newFromName( $username ), LdapPrimaryAuthenticationProvider::class, false )

is probably a less painful way to attach a user account (assuming the LDAP account exists already but the user account doesn't).

Tgr added a comment.Sep 8 2017, 10:11 PM

As discussed on IRC, one approach is to allow Special:PasswordReset to work for users who do not have a local account, then make sure clicking on the verification link autocreates the user.
One potential complication there is that password reset requires the editmyprivateinfo right so we'd have to somehow check whether the user would have this right after being autocreated. (Or maybe just make editmyprivateinfo for anons a requirement for password reset. If you squint hard enough, that makes semantic sense.)

bd808 added a comment.Sep 8 2017, 10:32 PM
\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser( User::newFromName( $username ), LdapPrimaryAuthenticationProvider::class, false )

is probably a less painful way to attach a user account (assuming the LDAP account exists already but the user account doesn't).

That will blow up when AuthManager passes the User off to LdapPrimaryAuthenticationProvider to fill in the account details. It would probably work if you added the LDAP global state setup as a preamble:

$l = LdapAuthenticationPlugin::getInstance();
$l->LDAPUsername = $user_name;
$l->email = $user_email;
$l->setDomain( $l->getDomain() );
$_SESSION['wsDomain'] = $l->getDomain();

\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser(
    User::newFromName( $user_name ), LdapPrimaryAuthenticationProvider::class, false );

Change 394510 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/extensions/OpenStackManager@master] Add maintenance script for attaching existing LDAP accounts

https://gerrit.wikimedia.org/r/394510

Change 394510 merged by jenkins-bot:
[mediawiki/extensions/OpenStackManager@master] Add maintenance script for attaching existing LDAP accounts

https://gerrit.wikimedia.org/r/394510

Vacio added a comment.Mar 10 2018, 1:12 PM
This comment was removed by Vacio.
Vacio closed this task as Resolved.Mar 10 2018, 1:13 PM
Vacio claimed this task.

@bd808 thanks, that worked :)

bd808 reopened this task as Open.Mar 10 2018, 5:38 PM
bd808 removed Vacio as the assignee of this task.
bd808 removed a project: Patch-For-Review.

Re-opening to document the need to add password reset to Striker and try to find a way of attaching accounts on Wikitech when created directly in LDAP (lower priority).

A user has appeared in #wikimedia-dev asking about the account which turns out to be uid=siyam-_-,ou=people,dc=wikimedia,dc=org, cn: MD Abu Siyam. They've forgotten the password but can't reset because wikitech thinks it doesn't exist: https://wikitech.wikimedia.org/wiki/Special:Contributions/MD_Abu_Siyam
@bd808 please can you attach it?

bd808 added a comment.Nov 5 2018, 7:18 PM

A user has appeared in #wikimedia-dev asking about the account which turns out to be uid=siyam-_-,ou=people,dc=wikimedia,dc=org, cn: MD Abu Siyam. They've forgotten the password but can't reset because wikitech thinks it doesn't exist: https://wikitech.wikimedia.org/wiki/Special:Contributions/MD_Abu_Siyam
@bd808 please can you attach it?

{{done}} https://wikitech.wikimedia.org/wiki/Special:Log/MD_Abu_Siyam