Change Details

I'm running MediaWiki 1.30.0 with the latest version of LDAP Authentication extension (master branch, commit aa165265357f0420ae8f17e5b8bd7e80f8febe79) I need to support LDAP accounts and local accounts (MySQL), so I configured ``` $wgLDAPUseLocal = true; ``` which basically works, but I'm unable to create new local accounts at `Special:CreateAccount`... As soon as I enter a user name (and leave the input field) a red box appears saying > Username entered already in use. Please choose a different name. In the web developer toolbar, I can see a get request to `WIKIBASE/api.php?action=query&format=json&list=users&ususers=blah23&usprop=cancreate&formatversion=2&errorformat=html&errorsuselocal=true&uselang=en` -> I cannot see the selected domain here!? //(Not sure if that is already a bug? How is the API endpoint supposed to know under which domain I want to create the account? But maybe only `local` is supported and the domain-drop-down on that page is irrelevant?)// I ignore the message and nevertheless submit the form, the browser sends a POST request containing all the data (incl. domain): ``` wpName blah23 wpPassword test wpDomain local retype test email realname reason wpCreateaccount Create+account wpEditToken xxxx title Special:CreateAccount authAction create force wpCreateaccountToken xxxx ``` But it still says `Username entered already in use. Please choose a different name. `... So it seems as I cannot create a new local account...!? If I disable the LDAP Authentication extension, the same POST request (just pressing `F5` then) is working fine and a new account is being created.. ## Debugging I already went a bit through the code, and if I understand correctly the check for existing users basically starts at [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L1038 | AuthManager.php -> beginAccountCreation( User $creator, array $reqs, $returnToUrl ) ]], where I can see it gets the domain in `$reqs`. On [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L1068 | line 1068]] it then calls [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L928 | AuthManager.php -> canCreateAccount( $username, $options) ]], which only retrieves the username: ``` $status = $this->canCreateAccount( $username, [ 'flags' => User::READ_LOCKING, 'creating' => true ] ); ``` From `canCreateAccount` ([[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthManager.php#L943 | line 943]]) the function [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L2157 | AuthManager.php -> userExists ($username, $flags) ]] is called, which then iterates `getPrimaryAuthenticationProviders ()` to `testUserExists`.. Arriving at [[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthPluginPrimaryAuthenticationProvider.php#L281 | AuthPluginPrimaryAuthenticationProvider.php -> testUserExists( $username, $flags = User::READ_NORMAL )]], it simply iterates every domain (as the domain information has been lost above) and checks the `AuthPlugin::userExists()`: ``` foreach ( $domains as $domain ) { $this->auth->setDomain( $domain ); if ( $this->auth->userExists( $username ) ) { $this->auth->setDomain( $curDomain ); return true; } } ``` The LDAP Authentication extension in my case then always returns `true` (=user exists), as it cannot add LDAP users ([[ https://github.com/wikimedia/mediawiki-extensions-LdapAuthentication/blob/master/LdapAuthenticationPlugin.php#L497 | `AddLDAPUsers` is `false`]]). So even if I would introduce an (in my opinion) missing check for `'local' == $this->getDomain()` at the LdapAuthentication extension, it will still fail, as `AuthPluginPrimaryAuthenticationProvider.php -> testUserExists` still checks for all domains (including LDAP domains..). ## Workaround As explained above, one option would be to temporarily disable LDAP Authentication. Another option is to create a new local account with a command line call for eg. ``` php maintenance/createAndPromote.php USER PASS ``` which apparently doesn't check all these things.. However, I don't want to grant command line access to the users/maintainers of the wiki. ## Solution Does anyone have an idea how to fix that issue? I'm not sure, but I guess the [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L928 | AuthManager.php -> canCreateAccount( $username, $options) ]] should also know about the domain, in which the user should be created? And then also provide this information to [[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthPluginPrimaryAuthenticationProvider.php#L281 | AuthPluginPrimaryAuthenticationProvider.php -> testUserExists( $username, $flags = User::READ_NORMAL )]], which doesn't check the LDAP extension for local accounts (or provides the domain to the LDAP extension, which then knows where/what/if to check..)?

26570726f6475636520796f757220627567207573696e67206120726563656e742076657273696f6e206f662074686520736f6674776172652c20746f2068652077696b6920636f6e74656e74206c616e67756167652e0a0a5468616e6b20796f752e0a546167730a436865636b557365720ad70a436f6e6e65637465642d4f70656e2d48657269746167652d42617463682d75706c6f61647320285241c42d4b4d425f315f323031372d3032290ad70a54616d696c2d53697465730ad70a47616d6570726573730ad70a48617368746167730ad70a4a4144450ad70a4b6172746f456469746f720ad70a4c616e67756167652d323031382d4170722d4a756e650ad70a4e65772d456469746f722d457870657269656e6365730ad70a4d61696c0ad70a5443422d5465616d0ad70a53756273637269626572730a4465736372697074696f6e20507265766965770a436f6e74656e77a6f6e652073657474696e6720696e20796f75722070726f66696c652c20636c69636b20746f207265636f6e63696c652eI'm running MediaWiki 1.30.0 with the latest version of LDAP Authentication extension (master branch, commit aa165265357f0420ae8f17e5b8bd7e80f8febe79) I need to support LDAP accounts and local accounts (MySQL), so I configured ``` $wgLDAPUseLocal = true; ``` which basically works, but I'm unable to create new local accounts at `Special:CreateAccount`... As soon as I enter a user name (and leave the input field) a red box appears saying > Username entered already in use. Please choose a different name. In the web developer toolbar, I can see a get request to `WIKIBASE/api.php?action=query&format=json&list=users&ususers=blah23&usprop=cancreate&formatversion=2&errorformat=html&errorsuselocal=true&uselang=en` -> I cannot see the selected domain here!? //(Not sure if that is already a bug? How is the API endpoint supposed to know under which domain I want to create the account? But maybe only `local` is supported and the domain-drop-down on that page is irrelevant?)// I ignore the message and nevertheless submit the form, the browser sends a POST request containing all the data (incl. domain): ``` wpName blah23 wpPassword test wpDomain local retype test email realname reason wpCreateaccount Create+account wpEditToken xxxx title Special:CreateAccount authAction create force wpCreateaccountToken xxxx ``` But it still says `Username entered already in use. Please choose a different name. `... So it seems as I cannot create a new local account...!? If I disable the LDAP Authentication extension, the same POST request (just pressing `F5` then) is working fine and a new account is being created.. ## Debugging I already went a bit through the code, and if I understand correctly the check for existing users basically starts at [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L1038 | AuthManager.php -> beginAccountCreation( User $creator, array $reqs, $returnToUrl ) ]], where I can see it gets the domain in `$reqs`. On [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L1068 | line 1068]] it then calls [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L928 | AuthManager.php -> canCreateAccount( $username, $options) ]], which only retrieves the username: ``` $status = $this->canCreateAccount( $username, [ 'flags' => User::READ_LOCKING, 'creating' => true ] ); ``` From `canCreateAccount` ([[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthManager.php#L943 | line 943]]) the function [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L2157 | AuthManager.php -> userExists ($username, $flags) ]] is called, which then iterates `getPrimaryAuthenticationProviders ()` to `testUserExists`.. Arriving at [[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthPluginPrimaryAuthenticationProvider.php#L281 | AuthPluginPrimaryAuthenticationProvider.php -> testUserExists( $username, $flags = User::READ_NORMAL )]], it simply iterates every domain (as the domain information has been lost above) and checks the `AuthPlugin::userExists()`: ``` foreach ( $domains as $domain ) { $this->auth->setDomain( $domain ); if ( $this->auth->userExists( $username ) ) { $this->auth->setDomain( $curDomain ); return true; } } ``` The LDAP Authentication extension in my case then always returns `true` (=user exists), as it cannot add LDAP users ([[ https://github.com/wikimedia/mediawiki-extensions-LdapAuthentication/blob/master/LdapAuthenticationPlugin.php#L497 | `AddLDAPUsers` is `false`]]). So even if I would introduce an (in my opinion) missing check for `'local' == $this->getDomain()` at the LdapAuthentication extension, it will still fail, as `AuthPluginPrimaryAuthenticationProvider.php -> testUserExists` still checks for all domains (including LDAP domains..). ## Workaround As explained above, one option would be to temporarily disable LDAP Authentication. Another option is to create a new local account with a command line call for eg. ``` php maintenance/createAndPromote.php USER PASS ``` which apparently doesn't check all these things.. However, I don't want to grant command line access to the users/maintainers of the wiki. ## Solution Does anyone have an idea how to fix that issue? I'm not sure, but I guess the [[ https://github.com/wikimedia/mediawiki/blob/d5b271a464c97a54a7f4f9ec6d76e54249acef24/includes/auth/AuthManager.php#L928 | AuthManager.php -> canCreateAccount( $username, $options) ]] should also know about the domain, in which the user should be created? And then also provide this information to [[ https://github.com/wikimedia/mediawiki/blob/master/includes/auth/AuthPluginPrimaryAuthenticationProvider.php#L281 | AuthPluginPrimaryAuthenticationProvider.php -> testUserExists( $username, $flags = User::READ_NORMAL )]], which doesn't check the LDAP extension for local accounts (or provides the domain to the LDAP extension, which then knows where/what/if to check..)?