This might be coincidence, but the private email (non-Labs) I received about the upcoming Zürich Hackathon Registration came from "80686 <username@wikimedia.ch>" which was surprising enough that I remembered (replace username above by 'manuel dot schneider').

That would align with "manuel@mirabilis" in the ssh key. Manuel, perhaps you can shed some light on this: Have you actively registered on wikitech or Gerrit? Or was 80686 perhaps an SVN username that was migrated?

Yes, User:80686 is me.

This was my SVN account that must have been migrated.

In mediawiki/core:

So: Yes :-).

Chad, does Gerrit need all authors to have an LDAP account?

If not and Manuel hasn't accessed wikitech/Gerrit with that account, I think we could just delete the entry in LDAP and set up the forwarding for 80686@users.mediawiki.org in exim (if those addresses actually work).

From Cloud-Services:

The error occurs only on tools-login, and the interval correlates to toolwatcher's "sleep 120"; so I "sudo tail -f /var/log/syslog | fgrep 80686 &"'d and can trigger the warning with "getent passwd > /dev/null".

(toolwatcher has moved to tools-submit, so the warning now appears there.)

So the conclusion is to remove the user:

scfc@tools-bastion-01:~$ ldaplist -l passwd 80686

dn: uid=80686,ou=people,dc=wikimedia,dc=org
        uid: 80686
        objectClass: person
        objectClass: organizationalPerson
        objectClass: inetorgperson
        objectClass: ldapPublicKey
        objectClass: shadowaccount
        objectClass: posixaccount
        objectClass: top
        loginShell: /bin/bash
        sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1Gpgy5PcnNP6I3P4QkqB4yZMAsinFZOpPg5iAss8aXAdTSfJhFlGXEhq9TnohnbXIeeFAvRgh9fo2VC/iUxfvssBUdZ3WNNtDWLEV/7yoVptHhfPb1Y9nyCVrcZtQMxatY/Pn3L2pmyzYWoi9QpFs/pk0fF+ePfbiNM47+W0JKOrIZYMiTLfyXzz1fMqHOvUsSC/bruoupqAUsKfxrtYUnvsu6xUM0+ScykEFg3fgMyoVcQFQlxco+MzzA1E3BfpYThbvoqizH4OgDMJ02siYfR/F3d+WdRQ+B/p7ZwtAfZ81+F2cYPpEUgiMW1APJpXwfsRAoEbzhlnjROcDGFWIw== manuel@mirabilis
        uidNumber: 1044
        gidNumber: 500
        sn: 80686
        homeDirectory: /home/80686
        cn: 80686
scfc@tools-bastion-01:~$

from LDAP. @demon confirmed above that the entry is not needed by Gerrit, the user cannot log in (AFAIK) and the pseudo mail address in the Git history is unroutable no matter what:

[…]
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  80686@users.mediawiki.org
    Unrouteable address
[…]

I would be happy if, instead of discussing this for months and locking me out of tools and Git, someone could take a few minutes and fix this, so I have a valid login again.

If you rename it - fine! Just let me know.

In T63967#1542310, @80686 wrote:

I would be happy if, instead of discussing this for months and locking me out of tools and Git, someone could take a few minutes and fix this, so I have a valid login again.

I'm confused -- if I understand this Task correctly, you haven't had access using the '80686' username at all since the migration to git? In that case, the easiest solution is to register a new account at wikitech, choosing a shell name that's not just digits (for the user name, 80686 is probably fine, but using something that starts with a letter might not be a bad idea)

Then follow the instructions on https://www.mediawiki.org/wiki/Gerrit/Tutorial#Add_ssh_key_to_your_Gerrit_account and you should be able to contribute with your new account.

I also had a toolserver account with that name and would rather want to keep my history in SVN / Git etc. Deleting it or renaming it shouldn't matter.

Accounts from the Toolserver have not been migrated to Tool Labs, so that account doesn't exist anymore. The source control history is not linked to your actual user account, so that shouldn't be a problem either, I think?

@80686: part of the context here is that renaming users is a tremendous pain in the neck :) I've tried it several times, never with complete success.

I don't understand why LDAP doesn't like the username. Can validnames be fixed?

validnames is a configuration setting of nslcd and configured via a regex in puppet. There's a comment that the regex must be kept in sync with OSM.

In T63967#2600758, @MoritzMuehlenhoff wrote:

validnames is a configuration setting of nslcd and configured via a regex in puppet. There's a comment that the regex must be kept in sync with OSM.

Fair enough, but I still don't see why we can't fix the regex in both places to allow for an all-numeric username. They're perfectly valid...

I suppose this caused problems in OSM at some point and then validnames was tweaked to not allow that in LDAP? If it's no longer a problem in OSM, we can simply loosen the validnames check, LDAP has no problem with a full digit username.

As far as I can tell, that error message is not about the username, but about the shell name. Numeric logins are technically permitted on Debian, but any time I google this I find this same boilerplate:

"It is usually recommended to only use usernames that begin with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes."

That is, indeed, what our regexp enforces, in both places. It /looks/ like that rule is enforced on account creation as well, so I don't know how we got to this state in the first place... still, I'm reluctant to change the rules now.

I don't think it would be crazy to leave the restriction for account creation but let nslcd be more permissive on the hosts. I'll try contacting Manuel first and see what he things.

I contacted Manuel on his userpage here: https://en.wikipedia.org/wiki/User_talk:80686

For my part: I can't think of any reason why it would hurt to have the nslcd regex be more permissive than the user-creation regex. If Manuel is actually using his Labs account and Moritz has no objections, I'm fine with changing that regex to remove the 'must start with a letter' rule.

In T63967#2799842, @Andrew wrote:

For my part: I can't think of any reason why it would hurt to have the nslcd regex be more permissive than the user-creation regex. If Manuel is actually using his Labs account and Moritz has no objections, I'm fine with changing that regex to remove the 'must start with a letter' rule.

Ack, if he still uses this accounts, let's do that.

I'd love to use it again, currently it doesn't work. I had SVN commit access but since the move I cannot log into Git. I have complained a few times about it but as this ticket is still open for several years now I had to wait until this here is solved, so I have eventually given up on it, even though there are extensions I am supposed to maintain.

@80686, If git doesn't work for you either then we have more serious problems :( Is there another ticket associated with this?

I think the reason for those debian guidelines is that a lot of tools are
going to assume an all numeric username is actually a user id, rather than
a username, causing confusion.

In T63967#1542321, @valhallasw wrote:

In T63967#1542310, @80686 wrote:

I would be happy if, instead of discussing this for months and locking me out of tools and Git, someone could take a few minutes and fix this, so I have a valid login again.

I'm confused -- if I understand this Task correctly, you haven't had access using the '80686' username at all since the migration to git? In that case, the easiest solution is to register a new account at wikitech, choosing a shell name that's not just digits (for the user name, 80686 is probably fine, but using something that starts with a letter might not be a bad idea)

Then follow the instructions on https://www.mediawiki.org/wiki/Gerrit/Tutorial#Add_ssh_key_to_your_Gerrit_account and you should be able to contribute with your new account.

In T63967#2801858, @80686 wrote:

I'd love to use it again, currently it doesn't work. I had SVN commit access but since the move I cannot log into Git. I have complained a few times about it but as this ticket is still open for several years now I had to wait until this here is solved, so I have eventually given up on it, even though there are extensions I am supposed to maintain.

The easy and obvious answer since the start has been just to create a new Wikitech account with a username that meets the guidelines. There is no history that will be lost by contributing under a new shell account name. The shell account name isn't even a part of the git history. Gerrit uses sn (or is it cn?) for account naming and associates commits based on email address.

The regex [a-z_][a-z0-9_-]*[$]? is documented in the useradd(8) man page. As @chad points out there is no technical reason for the naming rules to be this strict on a modern linux system, but it has been a historical practice due in part to the fact that a lot of UN*X rules date back to the early 1970's and the system constraints that were present then.

If the account has never actually been used since being added to LDAP by an SVN account import then it should be possible to fix by editing the uid to be something like _80686. The horrors of renaming as far as I know are just about fixing all of the cross references in various systems. If the account is not known by Gerrit or any of the existing Labs VMs those cross references really should not exist.

This task has been stalled for three years. Tasks should not be stalled forever.
It seems the options on the table are: 1) Changing regexes. 2) Renaming the user account. 3) Declining this task.
Could someone make a decision?