4.2. Optional Additional Configuration
4.2.1. Dependency Charts
As well as the text-based dependency graphs, Bugzilla also + supports dependency graphing, using a package called 'dot'. + Exactly how this works is controlled by the 'webdotbase' parameter, + which can have one of three values: +
A complete file path to the command 'dot' (part of + GraphViz) + will generate the graphs locally +
A URL prefix pointing to an installation of the webdot package will + generate the graphs remotely +
A blank value will disable dependency graphing. +
So, to get this working, install + GraphViz. If you + do that, you need to + enable + server-side image maps in Apache. + Alternatively, you could set up a webdot server, or use the AT&T + public webdot server (the + default for the webdotbase param). Note that AT&T's server won't work + if Bugzilla is only accessible using HTTPS. +
4.2.2. Bug Graphs
As long as you installed the GD and Graph::Base Perl modules you + might as well turn on the nifty Bugzilla bug reporting graphs.
Add a cron entry like this to run + collectstats.pl + daily at 5 after midnight: +
| bash# + + crontab -e + + |
| 5 0 * * * cd <your-bugzilla-directory> ; + ./collectstats.pl + |
After two days have passed you'll be able to view bug graphs from + the Bug Reports page.
4.2.3. The Whining Cron
By now you have a fully functional Bugzilla, but what good are + bugs if they're not annoying? To help make those bugs more annoying you + can set up Bugzilla's automatic whining system to complain at engineers + which leave their bugs in the NEW state without triaging them. +
This can be done by + adding the following command as a daily crontab entry (for help on that + see that crontab man page): +
| cd <your-bugzilla-directory> ; + ./whineatnews.pl + + |
Depending on your system, crontab may have several manpages. + The following command should lead you to the most useful page for + this purpose: +
|
4.2.4. LDAP Authentication
This information on using the LDAP + authentication options with Bugzilla is old, and the authors do + not know of anyone who has tested it. Approach with caution. + |
The existing authentication + scheme for Bugzilla uses email addresses as the primary user ID, and a + password to authenticate that user. All places within Bugzilla where + you need to deal with user ID (e.g assigning a bug) use the email + address. The LDAP authentication builds on top of this scheme, rather + than replacing it. The initial log in is done with a username and + password for the LDAP directory. This then fetches the email address + from LDAP and authenticates seamlessly in the standard Bugzilla + authentication scheme using this email address. If an account for this + address already exists in your Bugzilla system, it will log in to that + account. If no account for that email address exists, one is created at + the time of login. (In this case, Bugzilla will attempt to use the + "displayName" or "cn" attribute to determine the user's full name.) + After authentication, all other user-related tasks are still handled by + email address, not LDAP username. You still assign bugs by email + address, query on users by email address, etc. +
Using LDAP for Bugzilla authentication requires the + Mozilla::LDAP (aka PerLDAP) Perl module. The + Mozilla::LDAP module in turn requires Netscape's Directory SDK for C. + After you have installed the SDK, then install the PerLDAP module. + Mozilla::LDAP and the Directory SDK for C are both + available for + download from mozilla.org. +
Set the Param 'useLDAP' to "On" **only** if you will be using an LDAP + directory for + authentication. Be very careful when setting up this parameter; if you + set LDAP authentication, but do not have a valid LDAP directory set up, + you will not be able to log back in to Bugzilla once you log out. (If + this happens, you can get back in by manually editing the data/params + file, and setting useLDAP back to 0.) +
If using LDAP, you must set the + three additional parameters: Set LDAPserver to the name (and optionally + port) of your LDAP server. If no port is specified, it defaults to the + default port of 389. (e.g "ldap.mycompany.com" or + "ldap.mycompany.com:1234") Set LDAPBaseDN to the base DN for searching + for users in your LDAP directory. (e.g. "ou=People,o=MyCompany") uids + must be unique under the DN specified here. Set LDAPmailattribute to + the name of the attribute in your LDAP directory which contains the + primary email address. On most directory servers available, this is + "mail", but you may need to change this. +
4.2.5. Preventing untrusted Bugzilla content from executing malicious + Javascript code
It is possible for a Bugzilla to execute malicious Javascript + code. Due to internationalization concerns, we are unable to + incorporate the code changes necessary to fulfill the CERT advisory + requirements mentioned in + http://www.cet.org/tech_tips/malicious_code_mitigation.html/#3. + Executing the following code snippet from a UNIX command shell will + rectify the problem if your Bugzilla installation is intended for an + English-speaking audience. As always, be sure your Bugzilla + installation has a good backup before making changes, and I recommend + you understand what the script is doing before executing it.
bash# perl -pi -e "s/Content-Type\: text\/html/Content-Type\: text\/html\; charset=ISO-8859-1/i" *.cgi *.pl + |
All this one-liner command does is search for all instances of + "Content-type: text/html" + + and replaces it with + "Content-Type: text/html; charset=ISO-8859-1" + + . This specification prevents possible Javascript attacks on the + browser, and is suggested for all English-speaking sites. For + non-English-speaking Bugzilla sites, I suggest changing + "ISO-8859-1", above, to + "UTF-8".
Note: using <meta> tags to set the charset is not + recommended, as there's a bug in Netscape 4.x which causes pages + marked up in this way to load twice.
4.2.6. .htaccess + files and security
To enhance the security of your Bugzilla installation, Bugzilla's + checksetup.pl script will generate + .htaccess + + + files which the Apache webserver can use to restrict access to the + bugzilla data files. + These .htaccess files will not work with Apache 1.2.x - but this + has security holes, so you shouldn't be using it anyway. +
If you are using an alternate provider of + webdot + + services for graphing (as described when viewing + editparams.cgi + + in your web browser), you will need to change the ip address in + data/webdot/.htaccess + + to the ip address of the webdot server that you are using. |
The default .htaccess file may not provide adequate access + restrictions, depending on your web server configuration. Be sure to + check the <Directory> entries for your Bugzilla directory so that + the + .htaccess + + file is allowed to override web server defaults. For instance, let's + assume your installation of Bugzilla is installed to + /usr/local/bugzilla + + . You should have this <Directory> entry in your + httpd.conf + + file:
+
<Directory /usr/local/bugzilla/> + Options +FollowSymLinks +Indexes +Includes +ExecCGI + AllowOverride All +</Directory> + |
The important part above is + "AllowOverride All" + + . Without that, the + .htaccess + + file created by + checksetup.pl + + will not have sufficient permissions to protect your Bugzilla + installation.
If you are using Internet Information Server (IIS) or another + web server which does not observe + .htaccess + conventions, you can disable their creation by editing + localconfig + and setting the + $create_htaccess + variable to + 0. +
4.2.7. mod_throttle + + and Security
It is possible for a user, by mistake or on purpose, to access + the database many times in a row which can result in very slow access + speeds for other users. If your Bugzilla installation is experiencing + this problem , you may install the Apache module + mod_throttle + + which can limit connections by ip-address. You may download this module + at + http://www.snert.com/Software/Throttle/. + Follow the instructions to install into your Apache install. + This module only functions with the Apache web + server! + You may use the + ThrottleClientIP + + command provided by this module to accomplish this goal. See the + Module + Instructions + for more information.