1466866 - LDAP Auth vs Passwordless Email Login - Auth Failure

Status: RESOLVED FIXED

(Participation Infrastructure :: Phonebook, defect)

Description

[Matthew Finkel [:sysrqb]]

User Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20100101

Steps to reproduce:

1) Go to mozillians.org
2) Click "Log In/Sign Up" button
3) Enter email address in "Login with email" field


Actual results:

1) Enter Email address
2) Receive email with one-time verification link
3) Open link in Firefox and received error message: "Sorry, you may not login using passwordless email. We require login to be performed using the most secure method available for your account, which is LDAP."


Expected results:

Expecting a "Login with LDAP" option, login using LDAP authentication

Bug 1348393, Bug 1447899, 
Bug 1466635 seem related.

LDAP account: matthew.finkel@gmail.com

Comment 1

[George Roter]

hmitsch any thoughts on this?

This is a contributor to our All Hands who is trying to create or access a Mozillians.org account.

Comment 2

[Henrik Mitsch [:hmitsch]]

Hi sysrqb,

please apologize the delayed response.
Thanks for linking all these other tickets. I was able to move forward all of them. Now let's make things work for you.

Indeed, something is strange with your account. Is it possible that you are a long-time Mozilla LDAP user with the login "matthew.finkel@gmail.com"? Have you not logged in to any Mozilla services in the last 3+ months?

Did you configure MFA (multi-factor auth) for your Mozilla LDAP account? If no, please go to https://login.mozilla.com and configure MFA for your account.

Please let me know if this works. If it doesn't we need to see what else is wrong with your account.


## Debugging info ###
* A regular LDAP account returns "connection type: ad" in the Person API call, e.g. https://person-api.sso.mozilla.com/v1/connection/hmitsch@mozilla.com
* https://person-api.sso.mozilla.com/v1/connection/matthew.finkel@gmail.com returns "{}"

-Henrik

Comment 3

[Henrik Mitsch [:hmitsch]]

Hi kang and andrew,

I just chatted to sysrbq on IRC and then I found out why they have issues:

* User opens sso.mozilla.com
* NLX opens
* User enters their Volunteer LDAP email address: matthew.finkel@gmail.com
* Person API returns "{}" (https://person-api.sso.mozilla.com/v1/connection/matthew.finkel@gmail.com)
* NLX can't route into the LDAP login flow, because it expects "connection type: ad".

Can we fix this deep in the IAM Stack or do we need to change NLX?

Best regards,
   Henrik

Comment 4

[Guillaume Destuynder [:kang] [this account is no longer active]]

Hi,

this is because the LDAP account matthew.finkel@gmail.com is no longer active.
I've removed the account from our side so that you can login with matthew.finkel@gmail.com to passwordless and other methods

Please reopen if you still have an issue logging in

thanks!

Comment 5

[Matthew Finkel [:sysrqb]]

(In reply to Guillaume Destuynder [:kang] (NEEDINFO to ensure replies) from comment #4)
> Hi,

Thanks for looking into this!

> 
> this is because the LDAP account matthew.finkel@gmail.com is no longer
> active.

That's weird. I logged in two days ago, and I use it for pushing Try builds on a semi-regular basis.

> I've removed the account from our side so that you can login with
> matthew.finkel@gmail.com to passwordless and other methods

Hrm. Well, I successfully logged in using email auth - so this solved the immediate problem.

> 
> Please reopen if you still have an issue logging in

So I am a little confused, I can still authenticate via ssh:

"""
$ ssh hg.mozilla.org
A SSH connection has been successfully established.

Your account (Matthew.Finkel@gmail.com) has privileges to access Mercurial over
SSH.

You are a member of the following LDAP groups that govern source control
access:

   scm_level_1

"""

I'll open a new bug if I have any new problems. Thanks!