MediaWiki does not require emails to be unique, but Gerrit apparently does. Create a Wikitech account which uses the same email address as your other secondary wikitech account, try to log in into Gerrit with those credentials and you get a super unhelpful "Authentication failed". Recent example T270064.
Thanks for fixing the task description, clearly I was half asleep.
@bd808 is a wikitech fix worth it separately or should it be fixed everywhere at the same time? I can provide a patch for MediaWiki, no idea how to do it with Striker though.
(I wonder if it made sense to centralize things by having Striker use action=createaccount?)
I'm not sure that preventing duplicate emails in the LDAP directory is actually valuable at all. It seems more like an implementation quirk of the external account linkage in Gerrit that it is using a non-unique lookup token than a bug in the Developer account system itself. The backing LDAP directory enforces unique values for uid (shell user name) and cn (Wikitech user name). It really feels like Gerrit linkage should be based on one or the other of these and not mail which is non-unique.
Searching the LDAP directory for duplicate emails is a bit annoying, but it is pretty easy to make a check in Wikitech's db of attached Developer accounts for duplicate emails. At the moment select count(*) as dups, user_email from user group by user_email having dups > 1 order by dups asc; returns 912 rows with duplication counts ranging from 2 to 250. The vast majority of these are duplicate count == 2.
If we block email duplication going forward, do we also need some kind of historic cleanup? What do we do for folks who want/need bot accounts that they do not intend to use with Gerrit?
Gerrit does the mapping between its internal account and the LDAP account using the LDAP cn field normalized to lower case. The email is not involved there.
However since Gerrit 2.16, uniqueness of emails across accounts is enforced. Apparently it caused troubles with some external authentication system which might use an email as the id key. https://gerrit-review.googlesource.com/c/gerrit/+/169970 . The commit states that duplicate email would not cause any trouble when the external id is not an email (such as LDAP with cn) but there is no feature flag to disable the uniqueness enforcement.
For the wiki bot accounts, I guess one can use an email alias by appending to their mailbox name an extra string prefixed by + (ex: email@example.com get delivered to jane mailbox). Not all email providers support that, but the large majority probably do (gmail definitely does). That might be a good enough workaround.