Unable to log in after a failed LDAP attempt

Nickolay · May 23, 2018, 1:29am

Hi,

I tried and failed to log in to discourse (I believe it was my first time since the ‘new login experience’ was enabled).

I first tried to log in using e-mail (the one I’m sending this message from), without reading instructions. I was asked for my LDAP password - I tried the one from many years ago, when I was more actively involved as a volunteer.

Seems like the password was accepted, but I got an error message involving 2FA and a suggestion to “contact my system administrator” or something (didn’t think to make a screen shot). I think the wording of that message could be improved to be more friendly to an “outside” person.

I then tried to log in using Google (on which I have the 2FA), but got the “may not login using Google. We require login to be performed using the most secure method available for your account, which is LDAP” message. I think that it would be more friendly (even though possibly slightly less secure) to not claim that the LDAP method is “available” for my account when it obviously isn’t. Or

Now I’m stuck as the system automatically selects the Google method, only to let me know I can’t use it. From https://discourse.mozilla.org/t/what-on-earth-why-is-it-so-impossible-to-register-for-this-forum/28779/2 I thought I should “be able to go to sso.mozilla.com to disable autologin”, but it doesn’t appear to be the case.

At this point I tried to find some documentation, found the FAQ, honestly tried to find the relevant entries (I applaud the effort put into compiling the document, but it’s a bit daunting for someone just trying to log in!) – and the most relevant entry seems to be this, though I have no idea how to tell if I still “own a volunteer LDAP account” or if/why I need to “upgrade my mozillians account from email (passwordless) login”. Anyways, attempting to log onto mozillians just starts the same autologin-using-Google-then-tell-me-to-use-LDAP-instead dance, so that didn’t work out.

I’m writing this, because this post implied there were few known problems with the login system, and I hope that whatever little information I provided will help to further improve it. There’s no rush in getting my individual account fixed, though I would like to be able to log in eventually.

Nickolay

kang · May 23, 2018, 5:12pm

Hi,

your last successfull login with LDAP appears to be 16h ago, and yes, you still own a volunteer LDAP account which used to be scm level 3 (the highest level of privilege for Firefox code). These accounts are also required to setup 2FA on https://login.mozilla.com which you can do to regain access.

That said, if you no longer contribute to Firefox code in that way I suspect the best course of action is to get your LDAP account disabled. Would you like to do that?

Nickolay · May 23, 2018, 5:40pm

Thanks for the prompt response and for clarifying the situation!

Yes, I agree that disabling my LDAP account is the best course of action, assuming it won’t lock me out of my other accounts (bugzilla, MDN).

kang · May 23, 2018, 5:52pm

Bugzilla and MDN currently use other forms of authentication (ie not LDAP).
See https://bugzilla.mozilla.org/show_bug.cgi?id=1463812 for the disable request. In the mean time I’ve removed the record of your LDAP account in our system so that you can already log back in with your Google account.

Be careful though: if you login with LDAP to Discourse for example, you will run into the same issue until the account is really disabled.

Let me know if you still run into any issue, or if that solved your issue

Nickolay · May 23, 2018, 8:00pm

That solved the issue, thank you again!