summaryrefslogtreecommitdiffstats
path: root/template/en/default/admin/params/auth.html.tmpl
blob: 72fcc7e552af15c973e351ddb7c03e35e4ee8196 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
[%# The contents of this file are subject to the Mozilla Public
  # License Version 1.1 (the "License"); you may not use this file
  # except in compliance with the License. You may obtain a copy of
  # the License at http://www.mozilla.org/MPL/
  #
  # Software distributed under the License is distributed on an "AS
  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
  # implied. See the License for the specific language governing
  # rights and limitations under the License.
  #
  # The Original Code is the Bugzilla Bug Tracking System.
  #
  # The Initial Developer of the Original Code is Netscape Communications
  # Corporation. Portions created by Netscape are
  # Copyright (C) 1998 Netscape Communications Corporation. All
  # Rights Reserved.
  #
  # Contributor(s): Dave Miller <justdave@bugzilla.org>
  #                 Frédéric Buclin <LpSolit@gmail.com>
  #                 Marc Schumann <wurblzap@gmail.com>
  #%]
[%
   title = "User Authentication"
   desc = "Set up your authentication policies"
%]

[%  desc_passwdqc_min = BLOCK %]
  [Int0, Int1, Int2, Int3, Int4]
  <p>
  The minimum allowed password lengths for different kinds of passwords
  and passphrases. "undef" can be used to disallow passwords of a given
  kind regardless of their length. Each subsequent number is required to
  be no larger than the preceding one.

  <p>
  Int0 is used for passwords consisting of characters from one character
  class only. The character classes are: digits, lower-case letters,
  upper-case letters, and other characters. There is also a special
  class for non-ASCII characters, which could not be classified, but are
  assumed to be non-digits.
  <p>
  Int1 is used for passwords consisting of characters from two character
  classes that do not meet the requirements for a passphrase.
  <p>
  Int2 is used for passphrases. Note that besides meeting this length
  requirement, a passphrase must also consist of a sufficient number of
  words (see the "passphrase_words" option below).
  <p>
  Int3 and Int4 are used for passwords consisting of characters from
  three and four character classes, respectively.

  <p>
  When calculating the number of character classes, upper-case letters
  used as the first character and digits used as the last character of a
  password are not counted.

  <p>
  In addition to being sufficiently long, passwords are required to
  contain enough different characters for the character classes and the
  minimum length they have been checked against.
[% END %]

[%  desc_passwdqc_max = BLOCK %]
  The maximum allowed password length. This can be used to prevent users
  from setting passwords that may be too long for some system services.
  It must be larger than 8.
[% END %]

[%  desc_passwdqc_passphrase_words = BLOCK %]
  The number of words required for a passphrase, or 0 to disable the
  support for user-chosen passphrases.
[% END %]

[%  desc_passwdqc_match_length = BLOCK %]
  The length of common substring required to conclude that a password is
  at least partially based on information found in a character string,
  or 0 to disable the substring search. Note that the password will not
  be rejected once a weak substring is found; it will instead be
  subjected to the usual strength requirements with the weak substring
  partially discounted.
  <p>
  The substring search is case-insensitive and is able to detect and
  remove a common substring spelled backwards.
[% END %]

[%  desc_random_bits = BLOCK %]
  The size of randomly-generated passphrases in bits (24 to 85).
[% END %]

[% desc_passwdqc_desc = BLOCK %]
  This should be a short paragraph describing the password requirements in plain English.
  Limited HTML allowed.
[% END %]

[% param_descs = {
  auth_env_id => "Environment variable used by external authentication system " _
                 "to store a unique identifier for each user. Leave it blank " _
                 "if there isn't one or if this method of authentication " _
                 "is not being used.",

  auth_env_email => "Environment variable used by external authentication system " _
                    "to store each user's email address. This is a required " _
                    "field for environmental authentication. Leave it blank " _
                    "if you are not going to use this feature.",

  auth_env_realname => "Environment variable used by external authentication system " _
                       "to store the user's real name. Leave it blank if there " _
                       "isn't one or if this method of authentication is not being " _
                       "used.",

  user_info_class => "Mechanism(s) to be used for gathering a user's login information.
                      More than one may be selected. If the first one returns nothing,
                      the second is tried, and so on.<br>
                      The types are:
                      <dl>
                        <dt>CGI</dt>
                        <dd>
                          Asks for username and password via CGI form interface.
                        </dd>
                        <dt>Env</dt>
                        <dd>
                          Info for a pre-authenticated user is passed in system
                          environment variables.
                        </dd>
                      </dl>",

  user_verify_class => "Mechanism(s) to be used for verifying (authenticating) information
                        gathered by user_info_class.
                        More than one may be selected. If the first one cannot find the
                        user, the second is tried, and so on.<br>
                        The types are:
                        <dl>
                          <dt>DB</dt>
                          <dd>
                            ${terms.Bugzilla}'s built-in authentication. This is the most common
                            choice.
                          </dd>
                          <dt>RADIUS</dt>
                          <dd>
                            RADIUS authentication using a RADIUS server.
                            Please see the $terms.Bugzilla documentation for
                            more information.
                            Using this method requires
                            <a href=\"?section=radius\">additional
                            parameters</a> to be set.
                          </dd>
                          <dt>LDAP</dt>
                          <dd>
                            LDAP authentication using an LDAP server.
                            Please see the $terms.Bugzilla documentation
                            for more information. Using this method requires
                            <a href=\"?section=ldap\">additional
                            parameters</a> to be set.
                          </dd>
                        </dl>",

  rememberlogin => "Controls management of session cookies
                    <ul>
                      <li>
                        on - Session cookies never expire (the user has to login only
                        once per browser).
                      </li>
                      <li>
                        off - Session cookies last until the users session ends (the user
                        will have to login in each new browser session).
                      </li>
                      <li>
                        defaulton/defaultoff - Default behavior as described
                        above, but user can choose whether $terms.Bugzilla will remember his
                        login or not.
                      </li>
                    </ul>",

  requirelogin => "If this option is set, all access to the system beyond the " _
                  "front page will require a login. No anonymous users will " _
                  "be permitted.",

  webservice_email_filter => "Filter email addresses returned by the WebService API depending on " _
                             "if the user is logged in or not. This works similarly to how the " _
                             "web UI currently filters email addresses. If <tt>requirelogin</tt> " _
                             "is enabled,  then this parameter has no effect as users must be logged " _
                             "in to use Bugzilla.",

  emailregexp => "This defines the regexp to use for legal email addresses. The " _
                 "default tries to match fully qualified email addresses. Another " _
                 "popular value to put here is <tt>^[^@]+$</tt>, which means " _
                 "'local usernames, no @ allowed.'",

  emailregexpdesc => "This describes in English words what kinds of legal addresses " _
                     "are allowed by the <tt>emailregexp</tt> param.",

  emailsuffix => "This is a string to append to any email addresses when actually " _
                 "sending mail to that address. It is useful if you have changed " _
                 "the <tt>emailregexp</tt> param to only allow local usernames, " _
                 "but you want the mail to be delivered to username@my.local.hostname.",

  createemailregexp => "This defines the (case-insensitive) regexp to use for email addresses that are " _
                       "permitted to self-register using a 'New Account' feature. The " _
                       "default (.*) permits any account matching the emailregexp " _
                       "to be created. If this parameter is left blank, no users " _
                       "will be permitted to create their own accounts and all accounts " _
                       "will have to be created by an administrator.",

  passwdqc_min              => desc_passwdqc_min,
  passwdqc_max              => desc_passwdqc_max
  passwdqc_passphrase_words => desc_passwdqc_passphrase_words,
  passwdqc_match_length     => desc_passwdqc_match_length,
  passwdqc_random_bits      => desc_random_bits,
  passwdqc_desc             => desc_passwdqc_desc,

  password_complexity =>
    "Set the complexity required for passwords. In all cases must the passwords " _
    "be at least ${constants.USER_PASSWORD_MIN_LENGTH} characters long." _
    "<ul><li>no_constraints - No complexity required.</li>" _
    "<li>bmo - Passwords must meet at least three of the following conditions: " _
    "<ul>" _
    "<li>uppercase letters</li>" _
    "<li>lowercase letters</li>" _
    "<li>numbers</li>" _
    "<li>symbols</li>" _
    "<li>longer than 12 characters</li>" _
    "</ul></li>" _
    "</ul>",

  password_check_on_login =>
    "If set, $terms.Bugzilla will check that the password meets the current " _
    "complexity rules and minimum length requirements  when the user logs " _
    "into the $terms.Bugzilla web interface. If it doesn't, the user would " _
    "not be able to log in, and recieve a message to reset their password.",

  auth_delegation =>
    "If set, $terms.Bugzilla will allow third party applications " _
    "to request API keys for users.",

  duo_host =>
    "The 'API hostname' for Duo 2FA. This value is provided by your " _
    "Duo Security administrator. Set this to a blank value to disable" _
    "Duo 2FA.",

  duo_akey =>
    "The 'integration secret key' for Duo 2FA. This is automatically " _
    "generated by checksetup.pl.",

  duo_ikey =>
    "The 'integration key' for Duo 2FA. This value is provided by your " _
    "Duo Security administrator.",

  duo_skey =>
    "The 'secret key' for Duo 2FA. This value is provided by your " _
    "Duo Security administrator.",

  mfa_group =>
    "Members of this group must enable MFA. If the grace period is set, " _
    "users will receive a warning on every page until end of the grace period. " _
    "Users without MFA after the grace period (or when it is set to 0) will only " _
    "be able to access the mfa tab of the user preferences page."

  mfa_group_grace_period =>
    "Number of days to warn user to turn on 2FA."
  },
%]