Tony Malandain
2003-12-14 06:21:47 UTC
This document aims at helping people using Active Directory to authenticate Bugzilla users.
Please read first the section about configuring LDAP in the official Documentation: 4.2.4. LDAP Authentication
Pre-Requisite:
An Active Directory enabled Windows enviroment.
An instance of Bugzilla compiled with LDAP support
Actions:
Go to the parameter configuration page ( http://<yourserver>/<pathToBugzilla>/editparam.cgi)
Under LDAPserver:
Type the fully qualified name of the domain controler you wish to use for authentication.
Under LDAPbinddn:
By default Active Directory prevents anonymous queries through LDAP, so you will have to fill in this field to give Bugzilla access to Active Directory.
A common Distinguished Name (dn) for an Active Directory user will probably look like:
CN=<MY User Name>;CN=Users;DC=<My Domain>;DC=<My Domain Extension>
(Assuming you haven't changed the default Active Directory configuration).
Don't forget to add ":<The User Password>" at the end. Bugzilla expects it there.
Tip:
*The CN (or Common Name) is not the username (e.g. the one used to log in to a computer). The common name is the one displayed in the "Active Directory Users and Computers" snap-in under the "Name" column.
*When going into production, remember to lock down the user account used for querying AD (limit the computers to which it has access, privileges...)
Under LDAPBaseDN:
Again, assuming you are using an "out of the book" Active Directory configuration, the Base Distinguished Name (e.g. the Distinguished Name of the "folder" containing the users you want to include) will probably look like:
CN=Users,DC=<My Domain>,DC=<My Domain Extension>
Under LDAPuidattribute:
You probably want to reuse here the username (e.g. login) you use to authenticate in the Windows world. In that case, enter "sAMAccountName" here.
Under LDAPmailattribute:
Enter "mail"
Under LDAPfilter:
If you don't specify anything here, any Active Directory user (in the container you specified in LDAPBaseDN) will get access to Bugzilla. If you want to restrain the access to only a set of people, here is a solution:
Create a group in Active Directory under the Users "folder".
Add to that group the users that should have access to Bugzilla.
Enter "(memberOf=CN=<My Restricted Access Group>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>)" in that field.
Now only people in that group will be granted access to Bugzilla.
Under loginmethod:
Select LDAP.
Click "Submit" and Bugzilla will use Active Directory to authenticate its users.
Important:
Any user account stored in the database will be invalid as soon as you click on submit. If your administrator account is stored in the database, you should grant a LDAP account administrative privileges before you log off or you will look ourself out.
Nota:
I strongly advise to run some tests using the openldap tools to verify the parameters before moving Bugzilla to the LDAP authentication mode.
Once you can access the information you need using ldapsearch, you are pretty sure your conversion to LDAP authentication will succeed.
Typical options used to query Active Directory using ldapsearch are:
-h: Domain Controler NetBios Name/Fully Qualified Domain Name
-D: The Distinguished Name of the user account used to query Active Directory.
-x: Simple authentication mechanism
-b: The Base Distinguished Name of the starting point for the search
-W: Prompt for simple authentication
Example:
ldapsearch -h myDCServer -D "CN=<My User Name>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>" -x -W -b "CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>" "(memberOf=CN=<My Restricted Access Group>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>)"
That should normaly return the list of users to whom you want to give access to Bugzilla.
References:
* The Bugzilla Documentation: http://www.bugzilla.org/docs/html/
* ldapsearch in Active Directory: http://www.openldap.org/lists/openldap-software/200204/msg00188.html
* The openldap man pages.
* The Bugzilla IRC Channel #mozwebtools on irc.mozilla.org
Please read first the section about configuring LDAP in the official Documentation: 4.2.4. LDAP Authentication
Pre-Requisite:
An Active Directory enabled Windows enviroment.
An instance of Bugzilla compiled with LDAP support
Actions:
Go to the parameter configuration page ( http://<yourserver>/<pathToBugzilla>/editparam.cgi)
Under LDAPserver:
Type the fully qualified name of the domain controler you wish to use for authentication.
Under LDAPbinddn:
By default Active Directory prevents anonymous queries through LDAP, so you will have to fill in this field to give Bugzilla access to Active Directory.
A common Distinguished Name (dn) for an Active Directory user will probably look like:
CN=<MY User Name>;CN=Users;DC=<My Domain>;DC=<My Domain Extension>
(Assuming you haven't changed the default Active Directory configuration).
Don't forget to add ":<The User Password>" at the end. Bugzilla expects it there.
Tip:
*The CN (or Common Name) is not the username (e.g. the one used to log in to a computer). The common name is the one displayed in the "Active Directory Users and Computers" snap-in under the "Name" column.
*When going into production, remember to lock down the user account used for querying AD (limit the computers to which it has access, privileges...)
Under LDAPBaseDN:
Again, assuming you are using an "out of the book" Active Directory configuration, the Base Distinguished Name (e.g. the Distinguished Name of the "folder" containing the users you want to include) will probably look like:
CN=Users,DC=<My Domain>,DC=<My Domain Extension>
Under LDAPuidattribute:
You probably want to reuse here the username (e.g. login) you use to authenticate in the Windows world. In that case, enter "sAMAccountName" here.
Under LDAPmailattribute:
Enter "mail"
Under LDAPfilter:
If you don't specify anything here, any Active Directory user (in the container you specified in LDAPBaseDN) will get access to Bugzilla. If you want to restrain the access to only a set of people, here is a solution:
Create a group in Active Directory under the Users "folder".
Add to that group the users that should have access to Bugzilla.
Enter "(memberOf=CN=<My Restricted Access Group>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>)" in that field.
Now only people in that group will be granted access to Bugzilla.
Under loginmethod:
Select LDAP.
Click "Submit" and Bugzilla will use Active Directory to authenticate its users.
Important:
Any user account stored in the database will be invalid as soon as you click on submit. If your administrator account is stored in the database, you should grant a LDAP account administrative privileges before you log off or you will look ourself out.
Nota:
I strongly advise to run some tests using the openldap tools to verify the parameters before moving Bugzilla to the LDAP authentication mode.
Once you can access the information you need using ldapsearch, you are pretty sure your conversion to LDAP authentication will succeed.
Typical options used to query Active Directory using ldapsearch are:
-h: Domain Controler NetBios Name/Fully Qualified Domain Name
-D: The Distinguished Name of the user account used to query Active Directory.
-x: Simple authentication mechanism
-b: The Base Distinguished Name of the starting point for the search
-W: Prompt for simple authentication
Example:
ldapsearch -h myDCServer -D "CN=<My User Name>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>" -x -W -b "CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>" "(memberOf=CN=<My Restricted Access Group>,CN=Users,DC=<My Domain Name>,DC=<My Domain Extension>)"
That should normaly return the list of users to whom you want to give access to Bugzilla.
References:
* The Bugzilla Documentation: http://www.bugzilla.org/docs/html/
* ldapsearch in Active Directory: http://www.openldap.org/lists/openldap-software/200204/msg00188.html
* The openldap man pages.
* The Bugzilla IRC Channel #mozwebtools on irc.mozilla.org