Page MenuHomePhabricator

createAndPromote.php fails to create LDAP record for new account
Closed, ResolvedPublic


I ran into this while working on the MediaWiki-Vagrant role for Striker. On a wiki with LdapAuthentication enabled as the primary AuthManager plugin I am able to create new user accounts via Special:CreateAccount as expected. Both a local wiki user and a backing LDAP record are created. However when using the createAndPromote.php maintenance script only the local wiki user is created and the following error is logged to the console:

[fe7d1fcb9451add90be5b053] [no req]   ErrorPageError from line 393 of /srv/mediawiki/php-1.33.0-wmf.9/extensions/LdapAuthentication/LdapPrimaryAuthenticationProvider.php: The authentication plugin denied the password change.
#0 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(2441): LdapPrimaryAuthenticationProvider->providerChangeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest)
#1 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(900): MediaWiki\Auth\AuthManager->callMethodOnProviders(integer, string, array)
#2 /srv/mediawiki/php-1.33.0-wmf.9/includes/user/User.php(2989): MediaWiki\Auth\AuthManager->changeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest)
#3 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(127): User->changeAuthenticationData(array)
#4 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/doMaintenance.php(94): CreateAndPromote->execute()
#5 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(154): include(string)
#6 /srv/mediawiki/multiversion/MWScript.php(100): include(string)
#7 {main}

I can recreate the failure on the WMF production cluster when using createAndPromote.php against wikitech. This is a regression, but I'm not sure when it was introduced yet. There has been functionally no development on the LdapAuthentication extension, so this seems likely to have a root cause in some change in core that has not been properly accounted for in LdapAuthentication.

Event Timeline

This error is shown when $ldap->allowPasswordChange() passes but $ldap->setPassword( $user, $pw ) fails. Not sure how a core change could influence that. None of the relevant code changed since 2016, either. Maybe some kind of LDAP config change?

Change 481553 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/extensions/LdapAuthentication@master] Handle autocreation via LdapAuthenticationPlugin::initUser

Change 481554 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/core@master] createAndPromote: use AuthManager::autoCreateUser

@Tgr and I talked the problem over on irc a bit and he suggested the switch to using AuthManager::autoCreateUser from createAndPromote. Neither he nor I could find a reason that this would have worked in the past to actually create the user. I can vaguely assert that setting the account's password via createAndPromote used to at least fail silently if nothing else when LdapAuthentication was the active provider. The new autocreate behavior that I have proposed will be of questionable value for any caller other than createAndPromote unless they also follow the pattern of setting a known password value immediately after the User is created.

Change 481553 merged by jenkins-bot:
[mediawiki/extensions/LdapAuthentication@master] Handle autocreation via LdapAuthenticationPlugin::initUser

Change 481554 merged by jenkins-bot:
[mediawiki/core@master] createAndPromote: use AuthManager::autoCreateUser

Change 486425 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Make autocreation optional in createAndPromote.php