LDAP account that is not attached on wikitech has no means for password reset
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Vacio
	Aug 29 2017, 5:52 PM

Description

The user @Vacio has an LDAP account that was created 2017-07-30T14:12:02Z using Striker (https://toolsadmin.wikimedia.org/). The user is now trying to login to Striker and wikitech.wikimedia.org, but has forgotten their password. Wikitech has https://wikitech.wikimedia.org/wiki/Special:PasswordReset, but that method of password recovery will only work once an LDAP account has been attached to the local MediaWiki database. Unfortunately Striker does not automatically attach accounts to wikitech, so this LDAP account is currently unattached.

Figure out how to attach this LDAP account to Wikitech so that @Vacio can reset their password
- mwscript extensions/OpenStackManager/maintenance/attachLdapUser.php --wiki=labswiki --user=$LDAP_CN --email=$LDAP_MAIL
Add password reset to Striker
See if there is a good way to attach new LDAP accounts to Wikitech when they are created using Striker

Details

	Subject	Repo	Branch	Lines +/-
	Link to idm.wm.o for password resets	labs/striker	master	+11 -1
	Add maintenance script for attaching existing LDAP accounts	mediawiki/extensions/OpenStackManager	master	+64 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	taavi	T174469 LDAP account that is not attached on wikitech has no means for password reset
Resolved	bd808	T197612 Attach Developer Account to Wikitech, to enable Reset password
Resolved	bd808	T240478 Specific user cannot log into Wikimedia developer account for Toolforge: "Wikimedia account is already in use"
Resolved	• nskaggs	T284726 Create Wikitech account for user cn=Mfchris84

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 29 2017, 5:52 PM

@Vacio Could you please elaborate on what the problem is? Did you try signing up to wikitech and did you run into an error? If so what? You can create a wikitech account at https://wikitech.wikimedia.org/w/index.php?title=Special:CreateAccount

@Vacio Wikitech uses a separate user database from the normal Wikimedia wikis. You will need to create a new account for use on wikitech. You can do this in either of two ways:

Go to https://wikitech.wikimedia.org/wiki/Special:CreateAccount and use the on-wiki account creation process
Go to https://toolsadmin.wikimedia.org/register/ and use the registration wizard

Both methods will create an LDAP account for you that can be used to login to wikitech, Gerrit, toolsadmin, and other Wikimedia websites that use LDAP authentication.

Okay sorry, for not being clear enough.

If I try to create an account with my Wikimedia accout name (Vacio) I get the message that the username is already in use. When I try to login with the same username, I am told that it doesn't exist.

How can I fix this?

Edit: If this is the wrong place to solve this issue, please excuse me and close this ticket. (Sorry, I am new here and a bit confused).

Vacio reopened this task as Open.Aug 29 2017, 6:15 PM

@Vacio You are in the right place! If you can hop on to the #wikimedia-cloud IRC channel sometime, we can help you figure this out easier real time :)

I will right now, thanks a lot (:

Vacio closed this task as Resolved.Aug 29 2017, 6:33 PM

bd808 reopened this task as Open.Aug 29 2017, 7:01 PM

bd808 renamed this task from Register to Wikitech to LDAP account that is not attached on wikitech has no means for password reset.Aug 29 2017, 7:11 PM

bd808 triaged this task as High priority.

bd808 updated the task description. (Show Details)

Framawiki removed Vacio as the assignee of this task.Aug 29 2017, 7:12 PM

Framawiki subscribed.

Task description has been updated to reflect debugging done over irc.

We need to:

Figure out how to attach this LDAP account to Wikitech so that @Vacio can reset their password
Add password reset to Striker
See if there is a good way to attach new LDAP accounts to Wikitech when they are created using Striker

bd808 claimed this task.Aug 29 2017, 10:33 PM

bd808 added a project: cloud-services-team (Kanban).

Restricted Application added a project: User-bd808. · View Herald TranscriptAug 29 2017, 10:33 PM

bd808 moved this task from Inbox to Soon! on the cloud-services-team (Kanban) board.Aug 29 2017, 10:33 PM

@Vacio, your LDAP account has been attached on Wikitech, so you should now be able to go to https://wikitech.wikimedia.org/wiki/Special:PasswordReset and request a password reset.

For posterity, here's how to attach an LDAP account to Wikitech so that the database and logs look right:

$new_user = 'cn from the LDAP record';
$new_email = 'mail from the LDAP record';

$l = LdapAuthenticationPlugin::getInstance();
$l->LDAPUsername = $new_user;
$l->email = $new_email;
$l->setDomain( $l->getDomain() );
$_SESSION['wsDomain'] = $l->getDomain();
$u = User::newFromName( $l->LDAPUsername, 'creatable' );
$u->addToDatabase();
$u->saveSettings();
$l->initUser( $u, true );
$u->addWatch( $u->getUserPage(), User::IGNORE_USER_RIGHTS );
$le = new ManualLogEntry( 'newusers', 'create' );
$le->setPerformer( $u );
$le->setTarget( $u->getUserPage() );
$le->setComment( '' );
$le->setParameters( [ '4::userid' => $u->getId() ] );
$le->publish( $le->insert() );

These commands can be pasted into a mwscript eval.php --wiki=labswiki session started from silver.

Task description updated to show remaining tasks.

Tgr subscribed.Sep 7 2017, 8:50 PM

\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser( User::newFromName( $username ), LdapPrimaryAuthenticationProvider::class, false )

is probably a less painful way to attach a user account (assuming the LDAP account exists already but the user account doesn't).

As discussed on IRC, one approach is to allow Special:PasswordReset to work for users who do not have a local account, then make sure clicking on the verification link autocreates the user.
One potential complication there is that password reset requires the editmyprivateinfo right so we'd have to somehow check whether the user would have this right after being autocreated. (Or maybe just make editmyprivateinfo for anons a requirement for password reset. If you squint hard enough, that makes semantic sense.)

In T174469#3593114, @Tgr wrote:
\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser( User::newFromName( $username ), LdapPrimaryAuthenticationProvider::class, false )
is probably a less painful way to attach a user account (assuming the LDAP account exists already but the user account doesn't).

That will blow up when AuthManager passes the User off to LdapPrimaryAuthenticationProvider to fill in the account details. It would probably work if you added the LDAP global state setup as a preamble:

$l = LdapAuthenticationPlugin::getInstance();
$l->LDAPUsername = $user_name;
$l->email = $user_email;
$l->setDomain( $l->getDomain() );
$_SESSION['wsDomain'] = $l->getDomain();

\MediaWiki\Auth\AuthManager::getInstance()->autoCreateUser(
    User::newFromName( $user_name ), LdapPrimaryAuthenticationProvider::class, false );

bd808 mentioned this in T179463: Create a single application to provision and manage developer (LDAP) accounts.Nov 1 2017, 4:26 AM

Change 394510 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/extensions/OpenStackManager@master] Add maintenance script for attaching existing LDAP accounts

https://gerrit.wikimedia.org/r/394510

gerritbot added a project: Patch-For-Review.Dec 1 2017, 1:55 AM

Change 394510 merged by jenkins-bot:
[mediawiki/extensions/OpenStackManager@master] Add maintenance script for attaching existing LDAP accounts

https://gerrit.wikimedia.org/r/394510

Vacio added a comment.Mar 10 2018, 1:12 PM

This comment was removed by Vacio.

@bd808 thanks, that worked :)

Re-opening to document the need to add password reset to Striker and try to find a way of attaching accounts on Wikitech when created directly in LDAP (lower priority).

bd808 mentioned this in T190414: Delete legacy svn accounts from LDAP directory.Mar 22 2018, 3:54 PM

bd808 mentioned this in T194599: Unable to log in to Toolforge admin - LDAP account doesn't exist/needs password reset?.May 14 2018, 1:45 AM

bd808 mentioned this in T194670: Copy maintenance/attachLdapUser.php to another extension.May 14 2018, 4:43 PM

Olem mentioned this in T197612: Attach Developer Account to Wikitech, to enable Reset password.Jun 18 2018, 5:31 PM

bd808 added a subtask: T197612: Attach Developer Account to Wikitech, to enable Reset password.Jun 18 2018, 5:47 PM

• Vvjjkkii reopened subtask T197612: Attach Developer Account to Wikitech, to enable Reset password as Open.Jul 1 2018, 1:03 AM

Olem closed subtask T197612: Attach Developer Account to Wikitech, to enable Reset password as Resolved.Jul 1 2018, 8:53 AM

bd808 mentioned this in T206396: Password reset needed following Wikimedia developer account creation problem.Oct 7 2018, 11:26 PM

A user has appeared in #wikimedia-dev asking about the account which turns out to be uid=siyam-_-,ou=people,dc=wikimedia,dc=org, cn: MD Abu Siyam. They've forgotten the password but can't reset because wikitech thinks it doesn't exist: https://wikitech.wikimedia.org/wiki/Special:Contributions/MD_Abu_Siyam
@bd808 please can you attach it?

In T174469#4718368, @Krenair wrote:

A user has appeared in #wikimedia-dev asking about the account which turns out to be uid=siyam-_-,ou=people,dc=wikimedia,dc=org, cn: MD Abu Siyam. They've forgotten the password but can't reset because wikitech thinks it doesn't exist: https://wikitech.wikimedia.org/wiki/Special:Contributions/MD_Abu_Siyam
@bd808 please can you attach it?

{{done}} https://wikitech.wikimedia.org/wiki/Special:Log/MD_Abu_Siyam

bd808 mentioned this in T209770: Unable to login to Striker.Nov 19 2018, 5:05 PM

• GTirloni added a project: cloud-services-team (Kanban).Mar 24 2019, 12:09 PM

bd808 removed a project: cloud-services-team (Kanban).Jul 9 2019, 9:32 PM

bd808 merged a task: T237257: Add "forgot your password" link on https://toolsadmin.wikimedia.org/auth/login/.Nov 4 2019, 4:55 PM

bd808 added subscribers: • Phamhi, Masumrezarock100, Chicocvenancio.

Chicocvenancio mentioned this in T237257: Add "forgot your password" link on https://toolsadmin.wikimedia.org/auth/login/.Nov 4 2019, 5:06 PM

bd808 added a subtask: T240478: Specific user cannot log into Wikimedia developer account for Toolforge: "Wikimedia account is already in use".Dec 11 2019, 6:00 PM

Erutuon closed subtask T240478: Specific user cannot log into Wikimedia developer account for Toolforge: "Wikimedia account is already in use" as Resolved.Dec 11 2019, 7:19 PM

bd808 mentioned this in T250189: LDAP access to the wmf group for Sam Walton.Apr 28 2020, 8:35 PM

bd808 says:

the fix is `mwscript extensions/OpenStackManager/maintenance/attachLdapUser.php --wiki=labswiki --user=$LDAP_CN --email=$LDAP_MAIL` on a labweb host

bd808 mentioned this in T261653: Toolsadmin (Striker) login and account recovery feature requests.Sep 2 2020, 10:26 PM

bd808 merged a task: T261653: Toolsadmin (Striker) login and account recovery feature requests.

bd808 added a subscriber: Nikolay_Komarov.

taavi mentioned this in T284726: Create Wikitech account for user cn=Mfchris84.Jun 10 2021, 10:02 AM

taavi added a subtask: T284726: Create Wikitech account for user cn=Mfchris84.

• nskaggs closed subtask T284726: Create Wikitech account for user cn=Mfchris84 as Resolved.Jun 14 2021, 2:46 PM

Urbanecm mentioned this in T286630: Account recovery help needed for Developer account.Jul 14 2021, 8:51 AM

Yining_Chen subscribed.Jul 17 2021, 12:41 PM

bd808 updated the task description. (Show Details)Feb 4 2022, 11:05 PM

bd808 mentioned this in T311431: Account recovery help needed for Developer account [Nivas10798] .Jun 27 2022, 4:31 PM

Can I request a password reset? I made an account with a randomly generated password but my password manager failed to save it. I have not logged into it once and so I cannot use https://wikitech.wikimedia.org/ to reset it.

RPI2026F1 mentioned this in T323494: Attach Developer account RPI2026F1 to wikitech to allow password reset.Nov 21 2022, 1:27 PM

Framawiki unsubscribed.Jan 2 2023, 6:26 PM

Is this still an issue as Bitu is now used for password resets?

Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptMar 6 2024, 11:43 AM

In T174469#9605736, @taavi wrote:

Is this still an issue as Bitu is now used for password resets?

If the reset process is actually working in Bitu now then the main remaining issue would be discovery of that fact. We shouldn't assume that folks using Striker are familiar enough with the larger Wikimedia technical contributor ecosystem to know that they could switch to another *.wikimedia.org site manually to resolve their problem. I actually can't figure out the URL that would be needed myself off the top of my head. I think this means we still need a link from the login screen to somewhere labeled "Forgot password?".