[Summary view] [Print] [Text view]

   1  <?xml version='1.0' encoding='utf-8' ?>
   2  <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
   3  <!ENTITY % BOOK_ENTITIES SYSTEM "Admin_Guide.ent">
   4  %BOOK_ENTITIES;
   5  ]>
   6  <chapter id="admin.auth">
   7      <title>Authentication</title>
   8  
   9      <para>MantisBT supports several authentication techniques out of the box.  In addition, there is work in progress relating to supporting authentication plug-ins.  Once authentication plug-ins are implemented, then authentication against any protocol or repository of user names and passwords can be done without having to touch MantisBT core code.</para>
  10  
  11      <para>Although MantisBT supports multiple authentication techniques, it is important to note that MantisBT doesn't yet support hybrid authentication scenarios.  For example, internal staff authentications against LDAP where customer authentications against MantisBT database.</para>
  12  
  13      <section id="admin.auth.standard">
  14          <title>Standard Authentication</title>
  15  
  16          <para>Standard, or native, authentication is where MantisBT users are authenticated against user records in the MantisBT database.  The passwords are stored in the database in one of several formats:
  17              <itemizedlist>
  18                  <listitem><para>CRYPT - deprecated.</para></listitem>
  19                  <listitem><para>CRYPT_FULL_SALT - deprecated.</para></listitem>
  20                  <listitem><para>PLAIN - deprecated.</para></listitem>
  21                  <listitem><para>MD5 - This is default and recommended approach.  See <ulink url="http://en.wikipedia.org/wiki/MD5">MD5 topic on Wikipedia</ulink> for more details.</para></listitem>
  22              </itemizedlist>
  23          </para>
  24  
  25          <para>See $g_login_methods for more details about how to configure MantisBT to use one of the above authentication techniques.</para>
  26      </section>
  27  
  28      <section id="admin.auth.http">
  29          <title>HTTP_AUTH</title>
  30  
  31          <para>When MantisBT is configured to use basic auth, it automatically detects the logged in user and checks if they are already registered in MantisBT, if not, then a new account is automatically created for the username.</para>
  32      </section>
  33  
  34      <section id="admin.auth.basic">
  35          <title>BASIC_AUTH</title>
  36  
  37          <para>TODO</para>
  38      </section>
  39  
  40      <section id="admin.auth.ldap">
  41          <title>LDAP</title>
  42  
  43          <para>Functionality is provided by using the php-ldap module
  44              (/usr/lib/php4/ldap.so). An extra login method is defined within
  45              core/user_API.php inside of function is_password_match $f_username,
  46              $p_test_password, $p_password ).This has a simple, non encrypted
  47              (yet) test of the LDAP directory for that user by asking for an
  48              entry with uid=username and password=test_password, if this exists,
  49              it is presumed that the user should be granted access.</para>
  50              <formalpara>
  51                  <title>Configuration basics</title>
  52                  <para>the LDIF format that was tested is as follows:
  53                      <programlisting>dn: uid=tests,
  54                          dc=test, dc=com, dc=au
  55                          department: testdep
  56                          organizationname: Testing Organization
  57                          cn: Test Smith
  58                          assignedgroup: users
  59                          givename: Test
  60                          sn: Smith
  61                          mail: tests@example.com.au
  62                          uid: testsuser
  63                          Password: password
  64                          objectclass: testPerson
  65                      </programlisting>
  66  
  67                      The password may be in clear, taken
  68                      from the /etc/passwd or /etc/shadow file, or simply encrypted and
  69                      added using current LDAP tools.There are some specialized software
  70                      for replicating passwd to LDAP and inversely (eg.
  71                      <ulink url="http://freshmeat.net/projects/cpu/">http://freshmeat.net/projects/cpu/</ulink>
  72                      ).
  73                  </para>
  74              </formalpara>
  75  
  76              <para>Also setup the LDAP parameters explained in 
  77                  <xref linkend="admin.config.auth" />.
  78                  Don't forget to change your $g_login_method to LDAP.
  79              </para>
  80  
  81              <formalpara>
  82                  <title>Creating new accounts</title><para>There is still a bit of problem when you
  83                      want to create a new user to MantisBT using LDAP, you must create the
  84                      LDIF entry to LDAP, and also sign up for a new account, if both of
  85                      these line up correctly, authentication will proceed.  Email
  86                      is queried from the LDAP database if the
  87                      authentication is set to use LDAP instead of the user record in the
  88                      database entry.</para>
  89              </formalpara>
  90  
  91          </section>
  92  
  93          <section id="admin.auth.msad">
  94              <title>Microsoft Active Directory</title>
  95  
  96              <para>TODO</para>
  97          </section>
  98  </chapter>