Page MenuHomePhabricator

Can't reset password on wikitech (Unicode passwords not accepted), due to LDAP/opendj?
Closed, ResolvedPublic

Description

Steps I followed (three times now):

  1. [[wikitech:Special:PasswordReset]]
  2. Enter username and confirm
  3. Wait for email, copy the temporary password
  4. [[wikitech:Special:UserLogin]], enter username and paste password, ignore "token" field, check (or not) "Keep me logged in", submit

I. Observed: I'm logged in and I proceed to the page to set a new password

  1. Paste temporary password, enter new password two times, confirm

II. Observed: I'm logged out and sent back to [[wikitech:Special:UserLogin]], with login error "Incorrect password entered. Please try again." I can't use the temporary password because it expired nor the new password because it wasn't set, so I have to start again from (1).
III. Expected: the password is set and I proceed.


Version: unspecified
Severity: critical
URL: https://wikitech.wikimedia.org/

Details

Reference
bz56114

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:32 AM
bzimport set Reference to bz56114.
bzimport added a subscriber: Unknown Object (MLST).

(In reply to comment #0)

I. Observed: I'm logged in and I proceed to the page to set a new password

Well, not logged in, but the password is accepted and I'm asked to enter my new one to "finish login".

Sigh, I created a new account (at the cost of a couple hours spent fighting against the wiki's silliness, see bug 56535) and was now locked out of that too. It turns out that wikitech doesn't accept passwords with unicode characters which work fine on the WMF cluster; I now used a three-letter password and it worked. Let us know when we can use secure passwords on this wiki.

(In reply to comment #0)

  1. Paste temporary password, enter new password two times, confirm

Amended: "enter new password with some non-ASCII character" (no idea which ones); clarified summary.

Wikitech is the only wiki (iirc) backed by ldap authentication. I'm going to guess either the extension or the ldap server doesn't handle the non-ascii characters correctly.

Does anyone in ops know what ldap server is used?

(In reply to Chris Steipp from comment #3)

Does anyone in ops know what ldap server is used?

See e.g. bug 63717. which indicates opendj

Aklapper renamed this task from Can't reset password on wikitech (Unicode passwords not accepted) to Can't reset password on wikitech (Unicode passwords not accepted), due to LDAP/opendj?.Apr 25 2015, 9:03 PM
Aklapper set Security to None.
chasemp subscribed.

@Nemo_bis: please let me know if anything needs to be fixed/changed on the OpenLDAP side of the new labs LDAP servers.

@Nemo_bis: Were you able to reproduce this with the new LDAP server?

Can't test now since I'm not getting any of the password reset emails...

I could create a dummy account and attempt it @Nemo_bis @scfc if you want.

@Zppix: That would be very nice. Could you please test a) creating a new account with a Unicode password and b) (afterwards) resetting the password and picking a new Unicode password so that we have both tested both ways? Thanks!

After changing to another email address, I was able to get a password reset and the password "81L_['-nD:¬³ΩŁ¢®Ŧ¥ª§&JĦŊÐÄä±ºД№⌘⑆┙☠ﬔ︢ĔȑՂ" seemed to work (I included a character from each MES3B dropdown in abcTajpu).

However, I can't test the original steps because in the meanwhile I enabled 2FA.

I think that is close enough to a verification. 2FA should not interfere with the passwords themselves. Thanks for testing.