Page MenuHomePhabricator
Create Task
Maniphest T397651

CAS not letting new Toolsbeta-logging developer account log in
Closed, DeclinedPublic
Actions

Description

I created a new Toolsbeta-logging service account for T386480: [o11y,logging,infra] Deploy Loki to store Toolforge tool log data. Unfortunately, idp is not letting me log in to Horizon with this account. In the UI, I get a generic "Authentication attempt has failed." error message.

In the CAS logs I see this:

2025-06-23 17:12:53,791 ERROR [org.apereo.cas.authentication.DefaultAuthenticationManager] - <[LdapAuthenticationHandler]: [javax.security.auth.login.AccountNotFoundException: Unable to resolve user dn for Toolsbeta-logging / Unable to resolve user dn for Toolsbeta-logging]>
2025-06-23 17:12:53,794 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes
	DefaultAuthenticationManager.java:evaluateFinalAuthentication:271
	DefaultAuthenticationManager.java:authenticateInternal:256
	DefaultAuthenticationManager.java:authenticate:72
	DirectMethodHandleAccessor.java:invoke:103
>

The account was created using Bitu and I don't see anything strange about the LDAP record:

$ ldapsearch -x "(&(cn=Toolsbeta-logging)(objectClass=inetOrgPerson))"
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: (&(cn=Toolsbeta-logging)(objectClass=inetOrgPerson))
# requesting: ALL
#

# toolsbeta-logging, people, wikimedia.org
dn: uid=toolsbeta-logging,ou=people,dc=wikimedia,dc=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
uid: toolsbeta-logging
sn: Toolsbeta-logging
cn: Toolsbeta-logging
uidNumber: 49513
homeDirectory: /home/toolsbeta-logging
gidNumber: 500
mail: cloudservices@wikimedia.org
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

There is a second cn=toolsbeta-logging object in ou=projects,dc=wikimedia,dc=org for the service project for the same purpose, but that should not have any impact here?

Related Objects

Event Timeline

taavi created this task.Jun 23 2025, 5:19 PM
SLyngshede-WMF subscribed.Jul 7 2025, 4:01 PM

There is a second cn=toolsbeta-logging object in ou=projects,dc=wikimedia,dc=org for the service project for the same purpose, but that should not have any impact here?

It does, the LDAP query CAS uses is just limited to be below "dc=wikimedia,dc=org" so it will find both and not know what to do.

SLyngshede-WMF closed this task as Declined.Aug 11 2025, 2:25 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits