I ran into this while working on the MediaWiki-Vagrant role for Striker. On a wiki with LdapAuthentication enabled as the primary AuthManager plugin I am able to create new user accounts via Special:CreateAccount as expected. Both a local wiki user and a backing LDAP record are created. However when using the createAndPromote.php maintenance script only the local wiki user is created and the following error is logged to the console:
[fe7d1fcb9451add90be5b053] [no req] ErrorPageError from line 393 of /srv/mediawiki/php-1.33.0-wmf.9/extensions/LdapAuthentication/LdapPrimaryAuthenticationProvider.php: The authentication plugin denied the password change. Backtrace: #0 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(2441): LdapPrimaryAuthenticationProvider->providerChangeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest) #1 /srv/mediawiki/php-1.33.0-wmf.9/includes/auth/AuthManager.php(900): MediaWiki\Auth\AuthManager->callMethodOnProviders(integer, string, array) #2 /srv/mediawiki/php-1.33.0-wmf.9/includes/user/User.php(2989): MediaWiki\Auth\AuthManager->changeAuthenticationData(MediaWiki\Auth\PasswordAuthenticationRequest) #3 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(127): User->changeAuthenticationData(array) #4 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/doMaintenance.php(94): CreateAndPromote->execute() #5 /srv/mediawiki/php-1.33.0-wmf.9/maintenance/createAndPromote.php(154): include(string) #6 /srv/mediawiki/multiversion/MWScript.php(100): include(string) #7 {main}
I can recreate the failure on the WMF production cluster when using createAndPromote.php against wikitech. This is a regression, but I'm not sure when it was introduced yet. There has been functionally no development on the LdapAuthentication extension, so this seems likely to have a root cause in some change in core that has not been properly accounted for in LdapAuthentication.