Page MenuHomePhabricator
Create Task
Maniphest T212689

createAndPromote.php fails to create LDAP record for new account
Closed, ResolvedPublic
Actions

Description

I ran into this while working on the MediaWiki-Vagrant role for Striker. On a wiki with LdapAuthentication enabled as the primary AuthManager plugin I am able to create new user accounts via Special:CreateAccount as expected. Both a local wiki user and a backing LDAP record are created. However when using the createAndPromote.php maintenance script only the local wiki user is created and the following error is logged to the console:

[fe7d1fcb9451add90be5b053] [no req]   ErrorPageError from line 393 of /srv/mediawiki/php-1.33.0-wmf.9/extensions/LdapAuthentication/LdapPrimaryAuthenticationProvider.php: The authentication plugin denied the password change.
Backtrace:
#0 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(2441): LdapPrimaryAuthenticationProvider->providerChangeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest)
#1 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(900): MediaWiki\Auth\AuthManager->callMethodOnProviders(integer, string, array)
#2 /srv/mediawiki/php-1.33.0-wmf.9/includes/user/User.php(2989): MediaWiki\Auth\AuthManager->changeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest)
#3 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(127): User->changeAuthenticationData(array)
#4 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/doMaintenance.php(94): CreateAndPromote->execute()
#5 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(154): include(string)
#6 /srv/mediawiki/multiversion/MWScript.php(100): include(string)
#7 {main}

I can recreate the failure on the WMF production cluster when using createAndPromote.php against wikitech. This is a regression, but I'm not sure when it was introduced yet. There has been functionally no development on the LdapAuthentication extension, so this seems likely to have a root cause in some change in core that has not been properly accounted for in LdapAuthentication.

Details

SubjectRepoBranchLines +/-
Make autocreation optional in createAndPromote.phpmediawiki/coremaster+33 -18
createAndPromote: use AuthManager::autoCreateUsermediawiki/coremaster+20 -6
Handle autocreation via LdapAuthenticationPlugin::initUsermediawiki/extensions/LdapAuthenticationmaster+10 -0
Customize query in gerrit

Event Timeline

bd808 created this task.Dec 29 2018, 6:08 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 29 2018, 6:08 PM
Tgr subscribed.Dec 29 2018, 9:54 PM

This error is shown when $ldap->allowPasswordChange() passes but $ldap->setPassword( $user, $pw ) fails. Not sure how a core change could influence that. None of the relevant code changed since 2016, either. Maybe some kind of LDAP config change?

gerritbot subscribed.Dec 30 2018, 3:14 AM

Change 481553 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/extensions/LdapAuthentication@master] Handle autocreation via LdapAuthenticationPlugin::initUser

https://gerrit.wikimedia.org/r/481553

gerritbot added a project: Patch-For-Review.Dec 30 2018, 3:14 AM

Change 481554 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/core@master] createAndPromote: use AuthManager::autoCreateUser

https://gerrit.wikimedia.org/r/481554

bd808 added a comment.Dec 30 2018, 3:27 AM

@Tgr and I talked the problem over on irc a bit and he suggested the switch to using AuthManager::autoCreateUser from createAndPromote. Neither he nor I could find a reason that this would have worked in the past to actually create the user. I can vaguely assert that setting the account's password via createAndPromote used to at least fail silently if nothing else when LdapAuthentication was the active provider. The new autocreate behavior that I have proposed will be of questionable value for any caller other than createAndPromote unless they also follow the pattern of setting a known password value immediately after the User is created.

bd808 claimed this task.Dec 30 2018, 3:36 AM
gerritbot added a comment.Jan 2 2019, 7:07 PM

Change 481553 merged by jenkins-bot:
[mediawiki/extensions/LdapAuthentication@master] Handle autocreation via LdapAuthenticationPlugin::initUser

https://gerrit.wikimedia.org/r/481553

ReleaseTaggerBot added a project: MW-1.33-notes (1.33.0-wmf.12; 2019-01-08).Jan 2 2019, 8:00 PM
gerritbot added a comment.Jan 10 2019, 3:51 PM

Change 481554 merged by jenkins-bot:
[mediawiki/core@master] createAndPromote: use AuthManager::autoCreateUser

https://gerrit.wikimedia.org/r/481554

ReleaseTaggerBot edited projects, added MW-1.33-notes (1.33.0-wmf.13; 2019-01-15); removed MW-1.33-notes (1.33.0-wmf.12; 2019-01-08).Jan 10 2019, 4:00 PM
bd808 closed this task as Resolved.Jan 10 2019, 5:09 PM
gerritbot added a comment.Jan 25 2019, 6:21 AM

Change 486425 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Make autocreation optional in createAndPromote.php

https://gerrit.wikimedia.org/r/486425

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL