Gerrit authenticate users from LDAP using the following LDAP pattern:

(
  &(objectClass=person)(cn=${username})
   (!(pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org))
)

I have confirmed the account is not blocked via the ppolicy:

$ ldapsearch -LL -x '(&(objectClass=person)(cn=Catherine.kelsey)(pwdPolicySubentry=cn=disabled,ou=ppolicies,dc=wikimedia,dc=org))'
version: 1

Gerrit requires the cn LDAP field to be used for authenticating which would be Catherine.kelsey. It is case insensitive and can be filed all in lower case (for example: catherine.kelsey).

I will dig in the Gerrit log and account database after lunch.

Mentioned in SAL (#wikimedia-releng) [2026-06-01T10:58:14Z] <hashar> gerrit: flushed ldap_usernames cache in case a missing account ended up being cached there # T427792

I have updated the task description with the four log entries from the Gerrit server.

Two attempts were made using the email address and get rejected with No such user. Because Gerrit lookup the input against the LDAP cn field, no entry is returned and that is interpreted as a non existent user.

The two other attempts are using Catherine.kelsey (first letter upper cased) and catherine.kelsey (all lower case). Both should work afaik because Gerrit normalizes to lower case when doing the lookup and afaik LDAP does a case insensitive search. The query does find an entry, else they would fail similar to the other ones that uses the email. Thus the user exists in LDAP and is found by Gerrit.

Once the LDAP user is retrieved, Gerrit connects to LDAP using the supplied username/password. If LDAP fails, the authentication fails and Gerrit throws an exception Incorrect username or password.

I have looked at the Gerrit account database (All-Users.git), there is no account by that name, Gerrit never created a local user since the user never successfully logged in.

Given:

• the input username is correct (either Catherine.kelsey or all lower case catherine.kelsey should work)
• Gerrit finds the user in LDAP
• the authentication is rejected

Therefore I speculate the input password is incorrect. This can be due to:

1. the password being escaped somehow
2. the password being truncated to some arbitrary size
3. the wrong password being used

I strongly suspect the issue is a wrong password being, possibly due to us confusingly having TWO different accounts:

1. the wiki accounts such as for https://www.mediawiki.org/, Wikidata, Wikipedia etc. @catherine.kelsey.wmde account in Phabricator is attached to the MediaWiki account.
2. Wikimedia Developer account, managed by https://idm.wikimedia.org/ , stored in LDAP and used by Gerrit.

@catherine.kelsey.wmde can you take note of the password you are using to connect to https://idm.wikimedia.org/ and use that password to attempt to login to Gerrit with your username Catherine.kelsey? That is to double check everything is fine.

@SLyngshede-WMF do we have logs of auth failures in our LDAP?

We don't really log a ton in LDAP and most application (not sure how Gerrit does it) queries for the user and then validates the password internally.

In T427792#11971803, @SLyngshede-WMF wrote:

We don't really log a ton in LDAP and most application (not sure how Gerrit does it) queries for the user and then validates the password internally.

Our Gerrit has auth.type = LDAP (documentation) which is:

Gerrit prompts the user to enter a username and a password, which it then verifies by performing a simple bind against the configured ldap.server.
...
The actual username used in the LDAP simple bind request is the account’s full DN, which is discovered by first querying the directory using [..] an anonymous request

If the user was found, Gerrit then reconnects using the supplied username/password. Thus on the LDAP backend there would be a binding rejected due to an incorrect user/pass. But yeah maybe that is not logged at all.

Hi @hashar - thank you for taking a look at this, I've just logged in with "catherine.kelsey" and then my idp password, and I'm in :)

Supi! Danke dir :)