Opened 14 years ago

Closed 4 months ago

Last modified 4 months ago

#165 closed task (fixed)

Wiki LDAP integration

Reported by: crschmidt Owned by: robe
Priority: major Milestone: Sysadmin Contract 2021-I
Component: Wiki Keywords: ldap, wiki
Cc: martin, Jeff McKenna, strk, Cwillmes, sac@…, jive, hexmode

Description

MediaWiki? has an extension to support LDAP integration. It is described in the http://www.mediawiki.org/wiki/Extension:LDAP_Authentication Mediawiki LDAP auth page .

The requirements to install are as follows:

  • MediaWiki? 1.6+ for current version of the plugin (I will no longer be backporting to the 1.5 series)
  • PHP must be compiled with LDAP support for any functionality at all
  • PHP must be compiled with SSL support if you wish to authenticate over SSL (HIGHLY Recommended!!)
    • Your server must trust the LDAP server's Certificate's Root CA for SSL to work (mostly affects you if you are using self signed certificates)
    • The DNS name for your LDAP server must match the name in the LDAP server's certificate for SSL to work
  • Smartcard/CAC authentication requires a PEM encoded list of CAs, proxy or anonymous (if allowed) LDAP credentials, and an SSL enabled webserver

There are more details at the page on how to proceed with this.

Change History (97)

comment:1 Changed 14 years ago by crschmidt

Component: GeneralSAC
Owner: changed from tmitchell to sac@…

comment:2 Changed 14 years ago by martin

All PHP-related packages that were shipped with the distribution on 'osgeo2' have been removed. Such script was used to configure PHP:

./configure --prefix=/usr/local --with-apxs2=/usr/sbin/apxs \
--disable-cgi --with-openssl --with-gettext --with-ldap \
--with-readline --with-pdo-pgsql --with-pgsql \
--with-mysql --with-pdo-mysql --with-mysql-sock=/var/lib/mysql/mysql.sock \
--without-pdo-sqlite --without-sqlite --with-xmlreader --with-xsl \
--with-gd --with-jpeg-dir --with-png-dir --with-zlib-dir --with-bz2 \
--with-ttf --with-freetype-dir \
--enable-sysvshm=yes --enable-sysvsem=yes --enable-memory-limit

Wiki database access parameters can be read from the "LocalSettings?.php" file. We're running MySQL here, so the GRANT for database access looks a bit funny:

mysql> GRANT all on osgeo_wiki to 'wiki'@'localhost';

comment:3 Changed 14 years ago by martin

While we are at it, I'd like to make our Wiki a bit nicer by eliminating the "index.php" string in the URL's. These are the rules that I prefer to apply:

http://www.mediawiki.org/wiki/Manual:Short_URL/wiki/Page_title_--_Apache_rewrite--root_access

Martin.

comment:4 Changed 14 years ago by warmerdam

Martin,

I'm supportive of this idea, as long as the old urls continue to work too, since they are published all over the place.

comment:5 Changed 14 years ago by tmitchell

Sounds good to me too.

comment:6 in reply to:  4 Changed 14 years ago by wolf

Replying to warmerdam:

Martin,

I'm supportive of this idea, as long as the old urls continue to work too, since they are published all over the place.


That could be done with a

RedirectMatch permanent /index.php(.*)$ http://wiki.osgeo.org\1

This will result in all old links resulting in a HTTP response code of 301 (which the browser automatically redirects). Hopefully search engines will take note of this too.

comment:7 in reply to:  3 Changed 13 years ago by martin

Replying to martin:

While we are at it, I'd like to make our Wiki a bit nicer by eliminating the "index.php" string in the URL's.

Changes in /var/www/wiki/LocalSettings.php

Replace:

$wgArticlePath      = "$wgScript/$1";

with:

$wgArticlePath      = "/wiki/$1";

Changes in /etc/httpd/conf.d/hosts/wiki.conf

Add to each <VirtualHost? [...]>

  RewriteEngine On
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule /wiki/(.*)$ /index.php?title=$1 [PT,L,QSA]
  RedirectMatch permanent ^/index.php/(.*)$ /wiki/$1

Martin.

comment:8 Changed 13 years ago by tmitchell

  RewriteRule /wiki/(.*)$ /index.php?title=$1 [PT,L,QSA]

Just curious why you rewrote to the "/wiki/" prefix - was there a particular quirk you were avoiding? I'd love to wiki.osgeo.org/Main_Page, avoiding "/wiki/" altogether. But I don't understand the technical implications.

comment:9 Changed 13 years ago by wolf

Owner: changed from sac@… to wolf

comment:10 Changed 13 years ago by wolf

Status: newassigned

Work starts June 18th

comment:11 Changed 13 years ago by warmerdam

Cc: warmerdam hobu added

comment:12 Changed 13 years ago by warmerdam

Cc: martin tmitchell added

comment:13 Changed 5 years ago by strk

Keywords: ldap wiki added

comment:14 Changed 5 years ago by strk

Component: Systems AdminWiki

comment:15 Changed 5 years ago by strk

The updated link to LDAP authentication extension for MediaWiki?: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

comment:16 Changed 4 years ago by Jeff McKenna

Cc: Jeff McKenna strk Cwillmes added; warmerdam hobu tmitchell removed

comment:17 Changed 4 years ago by astrodog

Owner: changed from wolf to astrodog
Status: assignednew

Taking, the solution we want for the new site should also solve this, so we might as well get both...

comment:18 Changed 4 years ago by astrodog

Status: newassigned

comment:19 Changed 4 years ago by strk

This functionality may help to merge local and LDAP accounts: https://wiki.osgeo.org/wiki/Special:UserMerge

Astrodog: any news about your plan to fix this ?

comment:20 Changed 4 years ago by neteler

Cc: sac@… added

IMHO this should become a paid job. This report is open for 10 years...

comment:21 Changed 4 years ago by strk

+1 on paying for this.

How about sending an official motion to the list to make a call for offers to deal with it ?

comment:22 Changed 3 years ago by strk

Cc: jive added

For reference: Board just realized this problem (#2139) Sounds about time to gather offers to do the work... I suggest we contact the authors of Wikimedia LDAP plugin(s) and ask for a quote to do whatever is missing to complete the migration, if nobody else from SAC want to to place a bid.

comment:23 Changed 3 years ago by martin

My own plan for merging Wiki- and LDAP-logins (a couple of years ago) envisioned a custom extension to the Wiki login page as the first step, asking Wiki users to enter their LDAP username after a successful Wiki login.
The second step included a page to ask LDAP users to enter their Wiki username after successful LDAP login.
Or something along these lines, which would allow to match Wiki and LDAP logins against each other without manual intervetion.

This never happened because nobody was available and skilled at the same time to modify the Wiki login page accordingly. Thus, even though this would have allowed almost fool-proof matching, I have to admit it has failed.
The UserMerge? Wiki extension in contrast, while allowing to merge user logins, requires not only manual action in the process of merging user logins but also manual verification of the respective identities.

Adding LDAP and UserMerge? to the Wiki is pretty simple from a *technical* point of view. Therefore the question boils down to: Which method is preferred from an *organizational* point of view ?

comment:24 Changed 3 years ago by jive

Following on to board f2f meeting "volunteer-confusion-over-user-ids" topic which reopened this issue:

The board discussion indicated it would be acceptable to just go to LDAP, with full understanding that a portion of the wiki users would not have access after the transition (until they established an OSGeo userid).

Is there an advantage to mapping LDAP username to Wiki username that I am not seeing?

comment:25 Changed 3 years ago by strk

Advantage of mapping would be, I guess, not leaving thousand of unaccessible accounts, orphaned content and identity split

comment:26 Changed 3 years ago by martin

As far as I can see, there are two issues in "just go to LDAP" - please, whoever knows better, correct me, if I'm wrong:

1.) The vast majority of Wiki edits will refer to an author not available in the LDAP user database after the switch, simply because most of them don't match.

2.) There are more than 5k users in the Wiki user database, more than 20k users in OSGeo LDAP and more than 1k overlapping user names between both, which will lead to conflicting user names in the Wiki after the switch.

While 1.) will just disturb Wiki editors, because they don't "own" their edits any more, 2.) will likely ask for a solution because it'll add confusion in itself.

comment:27 Changed 3 years ago by strk

Would UserMerge? (URL?) allow fixing both points in the long run, beside the envisioned manual effort ? Does it necessarely need to be manual, btw ? Can we help it programmatically with some email based matching ?

comment:28 Changed 3 years ago by martin

As far as I can tell, UserMerge? works by - manually - entering two existing user names, one being just a source and another being the common destination.
Maybe we can add automated matching and scripting to the process but apparently we're short of expertise on automating MediaWiki?, therefore I don't know who's capable of adding the missing bits.

I also have little confidence in the quality of EMail addresses in the Wiki database, because a long-term policy had been "we don't want any obstacles in the process of registering with OSGeo". Therefore I would expect a lot of garbage and false EMail addresses on the Wiki as well as in LDAP.
That's why I proposed to ask authenticated LDAP users to provide their Wiki account name and vice versa in order to ensure, the matches are valid (at least most of them).

Moreover, I have no idea what's going to happen when we use UserMerge? for merging Wiki user "joe" into LDAP user "karl" while "joe" is a valid user name in LDAP as well. This probably means we need to resolve conflicting user names beforehand (see above).

Disclaimer: Especially now, after realizing I was unable to carry out my own plan, I do *not* intend to hold OSGeo back from switching the Wiki over to LDAP authentication. I just want to add my thoughts to this discussion, hoping they'll help in making an educated decision.
Maybe someone will even prove me to be totally wrong.

comment:29 Changed 3 years ago by martin

Please also read the mailing list thread starting about here:

http://lists.osgeo.org/pipermail/sac/2017-September/008440.html

comment:30 Changed 3 years ago by TemptorSent

Regarding handling merge of existing wiki users and osgeo account users:

  • Existing users with accounts on the wiki should be the only ones inconvenienced in the migration.
  • No loss of authorship information should occur.
  • No namespace conflicts should occur between old wiki accounts and new LDAP accounts.
  • All future logins should go through the OSGeo LDAP authentication service.
  • Users should provide their wiki account credentials to migrate their existing wiki account after authenticating to their OSGeo LDAP account.
  • Non-migrated usernames in database may be modified to prevent collision with newly migrated users if necessary.

comment:31 Changed 3 years ago by TemptorSent

Proposed migration plans following #OSGeo-sac meeting 2018-03-29

Martin noted that the current MediaWiki? instance is somewhat out of date, therefore I propose the following migration to both a newer mediawiki version and ldap authenticated accounts:

  1. Setup clean new MediaWiki? instance, including all necessary extensions.
  2. Export database from current instance and import to new instance.
  3. Rename all existing user accounts with prefix, such as "_wikiuser_".
  4. Disable login to any account having the prefix.
  5. Force all logins through OSGeo LDAP authentication.
  6. On first login of a LDAP user to the wiki, prompt user to provide credentials for any existing wiki accounts they wish to merge; prepend prefix to authenticate and merge if valid.

We will want to do this on a testing basis first to work out any issues, then freeze the existing instance before importing clean with a fresh dump and swapping in the new instance.

comment:32 Changed 7 months ago by strk

Work in progress: https://git.osgeo.org/gitea/hexmode/WikiToLDAP

Santa Claus has been busy for these 13 years but he may have finally getting to us

comment:33 Changed 7 months ago by strk

The work is ready for test. Please go to https://dev.wiki.osgeo.org/w/ and try logging in. Both LDAP and WIKI credentials should be accepted, unless you have the same username on WIKI and LDAP, in which case only WIKI credentials will be accepted for first login (you'll be able to then login via LDAP after the merge operation). How's your experience ? Smooth enough ? Anything you'd change ?

comment:34 Changed 7 months ago by neteler

I just tried and

https://dev.wiki.osgeo.org/wiki/Special:PluggableAuthLogin

504 Gateway Time-out
nginx/1.14.0 (Ubuntu)

(maybe the version should be suppressed to reduce the attack surface for script kiddies)

comment:35 Changed 7 months ago by strk

Please try again now. It was a problem with the LDAP connection. File another ticket for omitting the nginx version information (this is probably common for all of our proxies, but it has to be confirmed).

comment:36 Changed 7 months ago by martin

I'm sorry to report, the credentials I used to update this ticket don't work for me on the Dev Wiki:

Incorrect username or password entered. Please try again.

...., btw, I'm pretty much excited about this move in general!

Last edited 7 months ago by martin (previous) (diff)

comment:37 Changed 7 months ago by strk

When LDAP credentials don't work it is beacuse your WIKI username is the same as the LDAP username. This is a known issue described here: https://git.osgeo.org/gitea/hexmode/WikiToLDAP/issues/3

I'm afraid the ball was dropped on this, and the only improvement we're left with would be changing the error message to suggest logging-in via the WIKI credentials. I don't like this either, but the external consultant (Mark aka hexmode) says it's too much work to allow direct LDAP access in this case.

The good new is that you should still be able to access via the WIKI credentials and you should be guided into the migration process, after which you should be able to login via LDAP (and no more via WIKI).

comment:38 Changed 7 months ago by martin

Hi Sandro, my Wiki username is different from the LDAP username (Mspott/martin).

Edit: Ok, after reading https://git.osgeo.org/gitea/hexmode/WikiToLDAP/issues/3, if I get it right, I understand there will be no resolution for any LDAP user names already being occupied on the Wiki. Correct?

Last edited 7 months ago by martin (previous) (diff)

comment:39 Changed 7 months ago by strk

Cc: hexmode added

Martin: I'm not sure "no solution" is correct. We should ask Mark (hexmode, now in Cc). I think you can still login with your WIKI credentials and associate your wiki user with the LDAP account, can you please try that ?

Do you who is Martin, btw ? https://dev.wiki.osgeo.org/wiki/Special:Contributions/Martin Last contribution in 2007

comment:40 Changed 7 months ago by martin

Looks like Wiki user "Martin" was an OSGeo Journal editor .... I myself joined by end of 2006, so there must have been an overlap, but this definitely wasn't myself.
Maybe Martin Wegmann, now known as Wiki user "Wegmann"? Their edit histories match pretty well.

Nevertheless, I suspect that I'm not the only user being affected by such a naming collision. There are thousands of nicknames in LDAP and Wiki and while a solution for myself would be nice (of course :-) , others might complain as well.

Ah, and, for some - unknown - reason I lost my Wiki password. While I was able to trigger a PasswordReset? on the production Wiki, this is disabled on the Dev.

comment:41 Changed 7 months ago by strk

Do you think renaming all wiki accounts with having a prefix would fix these cases ? Sounds like a good plan to me (assuming we can verify no LDAP user has such prefix AND we can prevent using it in the future)

comment:42 in reply to:  41 ; Changed 7 months ago by hexmode

Replying to martin:

Looks like Wiki user "Martin" was an OSGeo Journal editor .... I myself joined by end of 2006, so there must have been an overlap, but this definitely wasn't myself.
Maybe Martin Wegmann, now known as Wiki user "Wegmann"? Their edit histories match pretty well.

Someone should reach out to "Wegmann" and find out if it is the same user and offer to use Special:UserMerge to merge their users.

Replying to strk:

Do you think renaming all wiki accounts with having a prefix would fix these cases ? Sounds like a good plan to me (assuming we can verify no LDAP user has such prefix AND we can prevent using it in the future)

Changing all wiki usernames could be done with a slightly altered form of the UserRename? extension's "renameUser.php" script: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Renameuser/+/refs/heads/master/maintenance/renameUser.php

I'm willing to do that this weekend if you want.

comment:43 Changed 7 months ago by strk

+1 for wiki users rename (_wikiuser_ prefix as per TemporSent? plan). What do others think ?

comment:44 in reply to:  42 Changed 7 months ago by neteler

Replying to hexmode:

Replying to martin:

Looks like Wiki user "Martin" was an OSGeo Journal editor .... I myself joined by end of 2006, so there must have been an overlap, but this definitely wasn't myself.
Maybe Martin Wegmann, now known as Wiki user "Wegmann"? Their edit histories match pretty well.

Someone should reach out to "Wegmann" and find out if it is the same user and offer to use Special:UserMerge to merge their users.

I have just contacted Martin Wegmann asking him to support us here.

comment:45 Changed 7 months ago by robe

+1 for wiki users rename (_wikiuser_ prefix

comment:46 Changed 6 months ago by hexmode

I think we've finally gotten this to where we're ready to push it to prod. Please log into https://dev.wiki.osgeo.org/ and with either or both of your Wiki and LDAP credentials and see if you understand how to merge one account with the other.

comment:47 Changed 6 months ago by wildintellect

Initial login with Wiki, and converting to LDAP works. Minor, we should add a link to sign up for LDAP if needed, in the statement. Now the confusing part is what happened after, upon trying to login again the username was filled in 'Wiki-', which didn't work. Changing it to my LDAP username works but then I get a prompt to 'Merge old wiki accounts with LDAP accounts' which isn't well explained and doesn't work.

comment:48 Changed 6 months ago by hexmode

Minor, we should add a link to sign up for LDAP if needed, in the statement.

Which statement? I assume you mean this one: https://dev.wiki.osgeo.org/wiki/MediaWiki:Wikitoldap-introduction

Those messages should be edited on-wiki to adjust them to point to id.osgeo.org.

Now the confusing part is what happened after, upon trying to login again the username was filled in 'Wiki-', which didn't work. Changing it to my LDAP username works but then I get a prompt to 'Merge old wiki accounts with LDAP accounts' which isn't well explained and doesn't work.

Could you clarify "didn't work"? strk and others have tested this multiple times before we got to the point of posting about it here, so I know that, in some sense, it works.

What did you do? What did not work?

comment:49 Changed 6 months ago by strk

I think he refers to this:

the username was filled in 'Wiki-', which didn't work.

He means the browser input field is pre-filled with 'Wiki-$Username' on next login. I've had the same experience, and is indeed annoying.

The "didn't work" refers to using the 'Wiki-' prefixed username with which the form is pre-filled. I've no idea where that pre-fill comes from (a cookie?) or if the extension can do anything about it.

Regarding the second prompt I also think I saw it once, but then disappeared on next login, so not sure when the merge prompt should or should stop popping up (still a cookie?).

comment:50 in reply to:  49 Changed 6 months ago by hexmode

Replying to strk:

He means the browser input field is pre-filled with 'Wiki-$Username' on next login. I've had the same experience, and is indeed annoying.

Agreed. And that login won't work after the merge because, after the merge, that account doesn't exist.

I'm not sure what to do about it -- maybe we could destroy that cookie after a merge? Or, better, replace it with a the name of the account that it is merged to.

Regarding the second prompt I also think I saw it once, but then disappeared on next login, so not sure when the merge prompt should or should stop popping up (still a cookie?).

I don't think I've seen that, but maybe I wasn't paying attention.

It would be good if wildintellect could confirm or clarify some more here.

Last edited 6 months ago by hexmode (previous) (diff)

comment:51 Changed 6 months ago by wildintellect

Yes that's what happened, expiring the cookie might make sense. On re-login I discovered if I choose the "skip this step" button, then it doesn't ask again. But I'm not sure why it asked in the first place, and I think it's potentially confusing for users. Does the skip set a flag to not ask again in the db somewhere?

comment:52 Changed 6 months ago by hexmode

I've updated the extension so that you won't see the "wiki-" prefix when you try to login now.

Skipping does make sure that you aren't in the group that sees the transition any more.

comment:53 Changed 6 months ago by strk

I think the WIKI users should *always* see the merge request. It's just LDAP users that we want able to say "don't ask me anymore" becuase maybe they NEVER had a WIKI account.

Those with a WIKI account we want to DROP as soon as possible, so we should keep bothering them with the message.

comment:54 Changed 6 months ago by strk

Moreover: the message bugging WIKI users for merging them with a LDAP account should be configurable because at one point we want to give them a timeframe within they need to merge before the accunt is REMOVED.

comment:55 Changed 5 months ago by martin

Hi all, I looked into this again and now I successfully merged my old Wiki name "Mspott" into the LDAP account "martin" on the "dev.wiki". The edit history in the pages I worked on was migrated properly.

Anyhow I noticed that the"Special:Contributions/Martin" page was empty after the merge.

Moreover I'd suggest to add a notice to remind users to move their former User page .... and not to make the same mistake I made by moving it into the "(Main)" section of the Wiki but instead directly into the "User" section ;-)

Great progress!!!

Last edited 5 months ago by martin (previous) (diff)

comment:56 Changed 5 months ago by strk

Martin: we payed the consultant (I think) so from now on is all on our shoulders. Can you see if there's a way to have the notice you mention written in some template already ? We also now need to plan for deploy this new plugin to production (and I didn't touch wiki on the ansible side, so if you did you're welcome to suggest or even send a pull request for our playbooks)

comment:57 in reply to:  55 ; Changed 5 months ago by hexmode

Replying to martin:

Anyhow I noticed that the"Special:Contributions/Martin" page was empty after the merge.

Interesting, I thought that was handled.

Moreover I'd suggest to add a notice to remind users to move their former User page .... and not to make the same mistake I made by moving it into the "(Main)" section of the Wiki but instead directly into the "User" section ;-)

The pages should have been moved automatically.

comment:58 in reply to:  57 Changed 5 months ago by hexmode

Replying to hexmode:

The pages should have been moved automatically.

I just realized why the page move, at least wasn't done. The old user accounts have been renamed, but I don't think I attempt to move from the renamed user accounts. I have to check that.

comment:59 in reply to:  55 Changed 5 months ago by hexmode

Replying to martin:

Moreover I'd suggest to add a notice to remind users to move their former User page

You can see the messages displayed and find the proper MediaWiki?: page to modify by seeing the messages here: https://git.osgeo.org/gitea/hexmode/WikiToLDAP/src/branch/master/i18n/en.json

comment:60 in reply to:  56 ; Changed 5 months ago by hexmode

Replying to strk:

Can you see if there's a way to have the notice you mention written in some template already ?

I think the changes I just committed will fix this. Can we test the updated code?

martin: If I reset the db would you have time to test again?

comment:61 Changed 4 months ago by robe

Milestone: Sysadmin Contract 2021-I

comment:62 Changed 4 months ago by robe

Priority: normalmajor

comment:63 Changed 4 months ago by robe

Owner: changed from astrodog to robe
Status: assignednew

comment:64 in reply to:  60 Changed 4 months ago by martin

Replying to strk:

I think the changes I just committed will fix this. Can we test the updated code?

martin: If I reset the db would you have time to test again?

I'm sorry, apparently that message slipped through ....

Anyhow, I checked again and now the migration completed successfully, moving the user page and updating the contributions included. Wonderful!

comment:65 Changed 4 months ago by robe

I've incorporated hexmode's install scripts into an ansible playbook. In addition to the wiki ldap, he provided us with a bunch of other goodies incorporated in this playbook -- e.g. restructuring to fit wiki modern convention, using memcached etc.

I have it in this repo https://git.osgeo.org/gitea/sac/ansible-deployment/src/branch/master/deployment/roles/wiki

I tested it on a backup of wiki of a week ago. I'm going to do a couple more final tests on new snapshot of wiki before go live.

I'm planning to go live to be this coming Friday to give people a week to test on. I'll send an official announcement after I've done some final ansible test runs.

Testing env is:

https://staging.wiki.osgeo.org

(NOTE: I'm doing a couple more trial runs of my ansible script - so that staging link above may be up and down depending on my testing phase)

comment:66 Changed 4 months ago by robe

Resolution: fixed
Status: newclosed

Migration of wiki.osgeo.org is complete. You should now be able to login with your LDAP account and if your content has not been migrated, you should be prompted to do so.

comment:67 Changed 4 months ago by wildintellect

Just ran through the update:

  1. Can we add some info to the login page (or a link), so people know they have to use LDAP (and if they don't have LDAP make one) - I suspect many people won't have seen the email on Discuss and will be confused.
  2. After completing the merge, the continue button takes me back to starting the merge. It did finish and navigating away seems fine, but that was odd, maybe continue should send people to homepage.

comment:68 Changed 4 months ago by robe

  1. Happened to me a number of times, but I couldn't replicate the issue consistently.

Regarding the #1, the Request login page takes you to the LDAP create page. I also changed the main site where it talks to wiki to say you need an LDAP account and changed the LDAP create page to note wiki is one of the things you need an LDAP account for.

I thought #1 was pretty clear for old users, as it does find your old account and tells you to merge. Not sure what more we can add to that page to make it clear without being more confusing. Perhaps we can have link to the detailed instructions like what hexmode had provided.

comment:69 Changed 4 months ago by neteler

Hi, I am stuck in 2) -> endless loop, in which the continue button takes me back to starting the merge, rejecting the merge.

User name "neteler"

Another report is at https://github.com/OSGeo/osgeo/issues/233

comment:70 Changed 4 months ago by kalxas

Same issue for me, I am stuff in the same loop. user name "kalxas"

comment:71 Changed 4 months ago by martin

I performed the migration to LDAP user "martin" on the prod instance but, unfortunately, in contrast to the preceding test on staging, my user page was not migrated and my edits are still owned by the old Wiki user "Mspott".

This time I started the migration on prod by logging in as the old Wiki user first .... wait let me cross-check. Oh, re-running the migration on the current staging leads to the same result when logging in as LDAP user first. Obviously the procedure has changed since my last - successful - test.

Meanwhile I moved the user page manually on prod, but, of course, this still doesn't fix the ownership of my edits.

comment:72 Changed 4 months ago by hexmode

If you have access to https://wiki.osgeo.org/wiki/Special:UserMerge you can merge your old user with your new one. The old user will now be "Wiki-OLDUSERNAME".

Once your old user is merged with your new one, the ownership of the edits should be fixed.

comment:73 in reply to:  69 Changed 4 months ago by hexmode

Replying to neteler:

Hi, I am stuck in 2) -> endless loop, in which the continue button takes me back to starting the merge, rejecting the merge.

User name "neteler"

Can you log in with your ldap user? What happens if you do?

Another report is at https://github.com/OSGeo/osgeo/issues/233

I replied to that one.

comment:74 in reply to:  72 Changed 4 months ago by neteler

Replying to hexmode:

If you have access to https://wiki.osgeo.org/wiki/Special:UserMerge you can merge your old user with your new one. The old user will now be "Wiki-OLDUSERNAME".

I am part of SAC and (think) to also be part of the group "Bureaucrats", but I get

Permission error
Jump to navigation
Jump to search

You do not have permission to merge users, for the following reason:

The action you have requested is limited to users in the group: Bureaucrats.

Maybe robe or strk could check that please?

comment:75 Changed 4 months ago by robe

I seem to not have access to bureaucrats anymore either, gives me the same permission error as @neteler gets.

comment:76 Changed 4 months ago by robe

It's very odd though, cause when I look here

https://wiki.osgeo.org/w/index.php?title=Special:ListUsers&group=bureaucrat

I am listed as a bureaucrat and so is neteler. Could it be the error is wrong and it's for a different reason, like we are in LDAP mode and that doesn't fully apply?

But it could be just our accounts for some reason did not fully merge as ours shows "In process of merging".

I see wildintellect's account doesn't show that strange message, so perhaps he can do it.

comment:77 Changed 4 months ago by robe

I think it does have to do with my issue when originally merging my account, that error that sadly happened to me in production but not in staging.

I noticed in staging.wiki.osgeo.org, I do have merge permissions.

comment:78 Changed 4 months ago by robe

I've logged the issue in https://git.osgeo.org/gitea/hexmode/WikiToLDAP/issues/8

@neteler I edited the mysql database to put back your group permissions and did so with mine as well. I was going to leave the others as is until we determine the culprit of the issue. The problem does not consistently happen so hard to troubleshoot. Some people's groups seem to come thru fine and some do not and as mentioned it's not even consistent by user as my groups came thru fine when testing in staging but did not come thru fine in prod. Wildintellect's seems to have come thru fine in prod.

comment:79 Changed 4 months ago by neteler

Thanks for your efforts. I can login again but something is still wrong

I suspect that the migration of my user account didn't work well so far.

comment:80 Changed 4 months ago by robe

I deleted the in progress part and deleted all the groups the neteler acocunt belongs to. Can you try logging again and see if things are better.

comment:81 Changed 4 months ago by robe

Neteler can you see if you have access to your pages again? Hopefully I didn't cause more damage than good.

I couldn't merge the accounts neteler / Neteler because the routine sees them as the same name.

However I was able to use the Rename User feature to rename your ghost account from neteler to Wiki-Neteler and then merge Wiki-Neteler into Neteler (and deleted the Wiki one). Hopefully that did the trick. If so I can do that with others that have ghost accounts.

comment:82 Changed 4 months ago by Jeff McKenna

My user account 'Jmckenna' is in the exact same situation as 'Neteler': no past edits, not part of bureaucrats even though was before. Could it be that any bureaucrat is facing this issue, since the merge?

comment:83 in reply to:  81 ; Changed 4 months ago by neteler

Replying to robe:

Neteler can you see if you have access to your pages again? Hopefully I didn't cause more damage than good.

Thanks - the login now works, and history is there: https://wiki.osgeo.org/wiki/Special:Contributions/Neteler

However, yet no edit rights...

comment:84 in reply to:  83 ; Changed 4 months ago by robe

Replying to Jeff McKenna:

Could it be that any bureaucrat is facing this issue, since the merge?

The issue is case sensitivity one. It turns out our Mysql wiki database is case sensitive. Came as shock to me and wiki expects the first letter to be Upper. Cutting to the chase, this resulted in ghost accounts being created. So there is a Jmckenna and a jmckenna account. It seems for many people the history / group was assigned to the all lower case account which you can't log into because login forces uppercase for first letter.

We put in a patch last night which hopefully should fix the issue moving forward.

I've just merged your identity Jeff -- can you try again.

Replying to neteler:

Replying to robe:

Neteler can you see if you have access to your pages again? Hopefully I didn't cause more damage than good.

Thanks - the login now works, and history is there: https://wiki.osgeo.org/wiki/Special:Contributions/Neteler

However, yet no edit rights...

This is odd I thought I took you out of the in-progress/needs-migration group and yet you seem to have gotten back in. I've deleted those again, but this time via the Wiki interface instead of directly from the database. If they show up again when you log in I'll investigate further.

+---------+----------------------------+-----------+
| ug_user | ug_group                   | ug_expiry |
+---------+----------------------------+-----------+
|   25083 | bureaucrat                 | NULL      |
|   25083 | sysop                      | NULL      |
|   25083 | wikitoldap-in-progress     | NULL      |
|   25083 | wikitoldap-merged          | NULL      |
|   25083 | wikitoldap-needs-migration | NULL      |
+---------+----------------------------+-----------+
Last edited 4 months ago by robe (previous) (diff)

comment:85 Changed 4 months ago by robe

At a glance no new accounts since I put in the ucFirst patch have ghosts (ticket / patch here - https://git.osgeo.org/gitea/hexmode/WikiToLDAP/issues/8)

I have merged the following accounts which had ghosts. Can these people check and see if they have history and can edit their content.

Aghisla
Jbryant
Kalxas
Martin
Mlennert
Rjuju

comment:86 Changed 4 months ago by robe

Also merge these with their ghost accounts

Alfonx
Aanderson
Gfleming
Jsanz
Krashish8

comment:87 Changed 4 months ago by neteler

Excellent - I can now login and edit!

The others hopefully as well after the fix.

comment:88 Changed 4 months ago by martin

Hi all, I hardly remember observing such automated process succeed on a test copy of a system and afterwards fail on the production instance .... well, learning never stops :-)

As far as I can tell, most of the migration steps of my Wiki user account have now completed successfully on the prod instance, the Contributions list filled up and looks plausible. I found one single, minor issue:

References to the specific User page, like the one in https://wiki.osgeo.org/wiki/SAC:Primary_Administrators still refer to the old Wiki user name. I'll apply a manual fix to mine, anyhow other contributors might not be aware of this fact.

comment:89 in reply to:  85 Changed 4 months ago by Mlennert

Replying to robe:

At a glance no new accounts since I put in the ucFirst patch have ghosts (ticket / patch here - https://git.osgeo.org/gitea/hexmode/WikiToLDAP/issues/8)

I have merged the following accounts which had ghosts. Can these people check and see if they have history and can edit their content.

Aghisla
Jbryant
Kalxas
Martin
Mlennert
Rjuju

Everything seems to work fine for me (Mlennert).

comment:90 in reply to:  84 Changed 4 months ago by Jeff McKenna

I've just merged your identity Jeff -- can you try again.

Great work Regina, fixed, thanks again!! (nice find on the upper case issue)

comment:91 Changed 4 months ago by lucadelu

I did the merge with LDAP account, I can login and I can see my contributions but my personal page is lost (I don't understand if it is related or not but it doesn't seem, however I can recover from history) and I cannot edit any pages (I tried with three random pages and my user page)

comment:92 Changed 4 months ago by Steven Feldman

I still can't edit anything My LDAP user is Stevenfeldman, my old wiki user was Stevenfeldman. Is that the cause of the problem? Steven

comment:93 in reply to:  92 ; Changed 4 months ago by robe

Replying to Steven Feldman:

I still can't edit anything My LDAP user is Stevenfeldman, my old wiki user was Stevenfeldman. Is that the cause of the problem? Steven

Doesn't look like you had a dupe account but you still had the merge in progress bit. Can you give it another try. I took that off.

comment:94 in reply to:  91 ; Changed 4 months ago by robe

Replying to lucadelu:

I did the merge with LDAP account, I can login and I can see my contributions but my personal page is lost (I don't understand if it is related or not but it doesn't seem, however I can recover from history) and I cannot edit any pages (I tried with three random pages and my user page)

Can you see if you can edit now - I removed you from merge in progress group

comment:95 in reply to:  94 Changed 4 months ago by lucadelu

Replying to robe:

Can you see if you can edit now - I removed you from merge in progress group

Yes, I can edit the pages. Thanks a lot

comment:96 in reply to:  92 Changed 4 months ago by Steven Feldman

Replying to Steven Feldman: @robe That has fixed it, I am able to edit again Thanks Steven

I still can't edit anything My LDAP user is Stevenfeldman, my old wiki user was Stevenfeldman. Is that the cause of the problem? Steven

comment:97 in reply to:  93 Changed 4 months ago by Steven Feldman

Replying to robe: That's fixed it! Thanks

Replying to Steven Feldman:

I still can't edit anything My LDAP user is Stevenfeldman, my old wiki user was Stevenfeldman. Is that the cause of the problem? Steven

Doesn't look like you had a dupe account but you still had the merge in progress bit. Can you give it another try. I took that off.

Note: See TracTickets for help on using tickets.