This information on using the LDAP - authentication options with Bugzilla is old, and the authors do - not know of anyone who has tested it. Approach with caution. +>LDAP authentication has been rewritten for the 2.18 release of + Bugzilla. It no longer requires the Mozilla::LDAP module and now uses + Net::LDAP instead. This rewrite was part of a larger landing that + allowed for additional authentication schemes to be easily added + (bug + 180642). + This patch originally landed in 21-Mar-2003 and was included + in the 2.17.4 development release. |
The existing authentication scheme for Bugzilla uses email addresses as the primary user ID, and a @@ -346,92 +354,189 @@ VALIGN="TOP" email address, not LDAP username. You still assign bugs by email address, query on users by email address, etc.
Using LDAP for Bugzilla authentication requires the - Mozilla::LDAP (aka PerLDAP) Perl module. The - Mozilla::LDAP module in turn requires Netscape's Directory SDK for C. - After you have installed the SDK, then install the PerLDAP module. - Mozilla::LDAP and the Directory SDK for C are both -
Because the Bugzilla account is not created until the first time + a user logs in, a user who has not yet logged is unknown to Bugzilla. + This means they cannot be used as an assignee or QA contact (default or + otherwise), added to any cc list, or any other such operation. One + possible workaround is the bugzilla_ldapsync.rb + script in the + contrib directory. Another possible solution is fixing + available for - download from mozilla.org. - bug + 201069. + |
Set the Param 'useLDAP' to "On" **only** if you will be using an LDAP - directory for - authentication. Be very careful when setting up this parameter; if you - set LDAP authentication, but do not have a valid LDAP directory set up, - you will not be able to log back in to Bugzilla once you log out. (If - this happens, you can get back in by manually editing the data/params - file, and setting useLDAP back to 0.) -
Parameters required to use LDAP Authentication:If using LDAP, you must set the - three additional parameters: Set LDAPserver to the name (and optionally - port) of your LDAP server. If no port is specified, it defaults to the - default port of 389. (e.g "ldap.mycompany.com" or - "ldap.mycompany.com:1234") Set LDAPBaseDN to the base DN for searching - for users in your LDAP directory. (e.g. "ou=People,o=MyCompany") uids - must be unique under the DN specified here. Set LDAPmailattribute to - the name of the attribute in your LDAP directory which contains the - primary email address. On most directory servers available, this is - "mail", but you may need to change this. -
- loginmethod
You can also try using OpenLDAP with Bugzilla, using any of a number of administration - tools. You should apply the patch attached to - bug 158630This parameter should be set to "LDAP" - , then set the following object classes for your users: - -
only if you will be using an LDAP directory + for authentication. If you set this param to "LDAP" but + fail to set up the other parameters listed below you will not be + able to log back in to Bugzilla one you log out. If this happens + to you, you will need to manually edit + data/params and set loginmethod to + "DB". +
- LDAPserver
This parameter should be set to the name (and optionally the + port) of your LDAP server. If no port is specified, it assumes + the default LDAP port of 389. +
Ex. "ldap.company.com" + or "ldap.company.com:3268" +
- LDAPbinddn [Optional]
Some LDAP servers will not allow an anonymous bind to search + the directory. If this is the case with your configuration you + should set the LDAPbinddn parameter to the user account Bugzilla + should use instead of the anonymous bind. +
Ex. "cn=default,cn=user:password"
- LDAPBaseDN
objectClass: person
- The LDAPBaseDN parameter should be set to the location in + your LDAP tree that you would like to search for e-mail addresses. + Your uids should be unique under the DN specified here. +
objectClass: organizationalPerson
- Ex. "ou=People,o=Company"
- The LDAPBaseDN parameter should be set to the location in + your LDAP tree that you would like to search for e-mail addresses. + Your uids should be unique under the DN specified here. +
- LDAPuidattribute
objectClass: inetOrgPerson
- The LDAPuidattribute parameter should be set to the attribute + which contains the unique UID of your users. The value retrieved + from this attribute will be used when attempting to bind as the + user to confirm their password. +
objectClass: top
- Ex. "uid"
- The LDAPuidattribute parameter should be set to the attribute + which contains the unique UID of your users. The value retrieved + from this attribute will be used when attempting to bind as the + user to confirm their password. +
- LDAPmailattribute
objectClass: posixAccount
- The LDAPmailattribute parameter should be the name of the + attribute which contains the e-mail address your users will enter + into the Bugzilla login boxes. +
- - Please note that this patch has not yet been - accepted by the Bugzilla team, and so you may need to do some - manual tweaking. That said, it looks like Net::LDAP is probably - the way to go in the future. - Ex. "mail"objectClass: shadowAccount
- The LDAPmailattribute parameter should be the name of the + attribute which contains the e-mail address your users will enter + into the Bugzilla login boxes. +