The configuration in LocalSettings.php is as follows:

# Kerberos authentication                          
wfLoadExtension('Auth_remoteuser');
$wgAuthRemoteuserDomain = "MATHPHYS.STURA.UNI-HEIDELBERG.DE";
$wgAuthRemoteuserMailDomain = "mathphys.stura.uni-heidelberg.de";

@ChristianHeusel Which version of Auth_remoteuser are you using? Did it get updated at the same time as Mediawiki itself so that the matching REL1_42 version is being used?

It's the git repo checked out on the REL1_42 (commit 87be9276aa1723c096892ea6b4eff1085375d004) branch to match the mediawiki installation.

The first time I get the following error, but I don't know if thats meaningful, as the timeouts seem to happen in all sorts of random places once this extension is loaded (see above logs):

Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/extensions/Auth_remoteuser/src/AuthRemoteuserSessionProvider.php on line 241

Thank you @ChristianHeusel! If the maximum time is happening in significantly different places each time, then it probably means that there is an unexpected infinite loop between core code and the extension code. This makes sense for it to be in the registered hook. The hook itself is probably calling core code that - in turn - calls the hook again.

Any Idea on how I could get a trace out of mediawiki/php to debug this further? Or do you already know enough to debug this on your own?

I tried with the following debug setting added to LocalSettings.php, but that didn't give me a more verbose error/trace:

error_reporting( -1 );
ini_set( 'display_startup_errors', 1 );
ini_set( 'display_errors', 1 );
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgShowDebug = true;
$wgDevelopmentWarnings = true;
$wgShowSQLErrors = true;
$wgDebugDumpSql  = true;
$wgShowDBErrorBacktrace = true;
$wgDebugLogFile = "/var/log/mediawiki/debug.log";

Not a big fan of bumping tickets, but it would be good to get some more feedback on this so we could debug it and eventually solve it! 🤗

Copied from T369974

Regression was caused by dfc691bfc52 "Migrate callers of deprecated method BlockManager::getUserBlock()" (T345683). In includes/Permissions/PermissionManager.php, the user rights cache was modified. My guess is that the caching stopped working and now the user rights checks run multiple times when a permission check is done within a SessionProvider.

So my bad idea right now is to add the following to the top of the UserNameSessionProvider::refreshSessionInfo method:

static $loaded = false;
if ($loaded) {
    return true;
}
$loaded = true;

The web page displays, but I'm worried that things won't be initialized correctly. I need help! Is it a bug in Mediawiki core? Or am I not allowed to User->isAllowed() inside of a SessionProvider's refreshSessionInfo method?

So how would I apply this fix to my upgraded Mediawiki install? just apply the above patch/workaround?
Glad you were able to track down the issue, thanks for investigating! ❤

Hi @ChristianHeusel,

Yes, If that code is at the top of the method, then the function will only run once. I don't know what effect that will have in general.

A much safer approach would be to replace !$user->isAllowed( 'createaccount' ) with true or false on line 509 of UserNameSessionProvider.php.

Hi,

I have the same problem.

I have the following configuration

wfLoadExtension( 'Auth_remoteuser' );
// Only login users automatically if known to the wiki already.
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = false;
$wgGroupPermissions['*']['read'] = true;

because:

• I want external authenticated only users to access the wiki in readonly mode
• The user will be granted editing privileges if the user exists on mediawiki.
• I don't want mediawiki users to be automatically created.

I changed line 509 on UserNameSessionProvider.php with

if ( false ) {

and the page displays only if the user exists on mediawiki database, but it generates the same "memory exhausted" error if the user doesn't exists.
So I also tried to change the line 362 from

if ( $anon->isAllowedAny( 'autocreateaccount', 'createaccount' ) ) {

to

if ( false ) {

and now it seems to work as a want.

Do you think that the changes I've made might cause something to break?

Thank you.

Hi @Metaldaze80,

I think those changes are a perfect workaround. The purpose of the checks is to answer the question: "Does the current user (anonymous or not) have permission to create an account?" Manually setting those to true or false efficiently skips the part where the software would check the configuration settings. So if the answer to those access questions was always going to be true or false, then you're saving time.

I'm so sorry that this has been a challenge for all of you. I don't know how to fix it so that we can do permissions checks in this part of the plugin again. 😓

Hi @jrchamp ,

thank you for your reply. I will implement these changes in production as a viable workaround.

What about introducing a new parameter like $wgAuthRemoteuserAutocreateaccount instead of just checking the current user permission (anonymous or not)? This might solve the problem in some cases instead of having to manually edit the code.

Feel free to ignore my suggestion if you think it is nonsense.

I am having this issue, but none of the work arounds seem to work. I am trying with MediaWiki 1.43 and Auth_remoteuser: REL1_43

I tried changing the "if()" to fixed values. I also tried putting the "static $loaded" code at the start of refreshSessionInfo, but it just keeps looping. If I create a debug log, I get endless lines like below, until it times out:

[session] Setting up auto login session for remote user name 'xxx' (mapped to MediaWiki user 'xxx', currently active as MediaWiki user 'xxx').
[rdbms] Wikimedia\Rdbms\LoadBalancer::reuseOrOpenConnectionForNewRef: reusing connection for 0/wikidb
[rdbms] MediaWiki\User\User::load [0.251ms] localhost: SELECT actor_id,actor_user,actor_name FROM actor WHERE actor_name = 'xxx' LIMIT 1
[rdbms] Wikimedia\Rdbms\LoadBalancer::reuseOrOpenConnectionForNewRef: reusing connection for 0/wikidb
[rdbms] MediaWiki\User\User::loadFromDatabase [0.359ms] localhost: SELECT user_id,user_name,user_real_name,user_email,user_touched,user_token,user_email_authenticated,user_email_token,user_email_token_ex\
pires,user_registration,user_editcount,user_actor.actor_id FROM user JOIN actor user_actor ON ((user_actor.actor_user = user_id)) WHERE user_id = 2 LIMIT 1

One possible complication: I just upgraded from 1.27 to 1.43 (via an upgrade to 1.35). The wiki works fine without the extension, but obviously, users are not auto logged in.

Thanks for you help.

@Prensing Having upgraded from 1.41.0 to 1.43.0 and also using the Auth_remoteuser: REL1_43 (version c985d52), I managed to get it working by applying the workaround provided by @Metaldaze80 in their comment

For reference, in my UserNameSessionProvider.php it was lines 381 and 528 that needed to be changed to

if ( false ) {

So do we already have a proper fix in sight? To me it seems like the underlying issue is still not solved 🤔

In T368904#10425547, @amginea wrote:

@Prensing Having upgraded from 1.41.0 to 1.43.0 and also using the Auth_remoteuser: REL1_43 (version c985d52), I managed to get it working by applying the workaround provided by @Metaldaze80 in their comment

For reference, in my UserNameSessionProvider.php it was lines 381 and 528 that needed to be changed to

if ( false ) {

Similar experience here. My upgrade was from 1.39 to 1.43. I was previously using the latest tagged version of Auth_remoteuser (2.1.1) but that doesn't work on MW 1.43 at all.

@amginea Thanks that worked for me. I thought I had tried it, but I must have add a "true" where "false" was needed, or something like that.

This seems to be a duplicate of T369974, isn't it?

Change #1181135 had a related patch set uploaded (by Robert Vogel; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_43] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1181135

Change #1181135 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_43] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1181135

Change #1187013 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_44] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187013

Change #1187015 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@master] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187015

Change #1187013 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@REL1_44] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187013

Change #1187015 merged by jenkins-bot:

[mediawiki/extensions/Auth_remoteuser@master] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187015

Change #1187054 had a related patch set uploaded (by Jrchamp; author: Robert Vogel):

[mediawiki/extensions/Auth_remoteuser@REL1_42] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187054

Change #1187054 merged by Jrchamp:

[mediawiki/extensions/Auth_remoteuser@REL1_42] Fix infinite loop when checking permissions

https://gerrit.wikimedia.org/r/1187054