Problem: In the current version of MantisBT, the authentication method is globally defined via $g_login_method. When set to LDAP, the system strictly enforces LDAP authentication. This creates major issues. If the LDAP server is down or misconfigured, local administrator accounts (stored in the Mantis DB) cannot be used to fix the settings without manually editing config_inc.php on the filesystem to disable LDAP.

Proposed change: I propose modernizing the authentication flow by introducing a "Fallback to Local" mechanism. If a user is not found in the LDAP directory, MantisBT should attempt to authenticate the user as the local user. This approach would allow for a coexistence of LDAP-managed users and local emergency accounts, providing a seamless and secure experience just like in Zabbix, etc. Alternatively, MantisBT should allow defining a "Primary" (LDAP) and "Secondary" (Internal - MD5, BASIC_AUTH or HTTP_AUTH) authentication backend.

Proposed technical implementation: It appears that this could be resolved by a relatively minor modification of the auth_attempt_login() function within: core/authentication_api.php. Currently, the function checks the global $g_login_method and proceeds with only one method. The function should be updated to handle a fallback scenario. If LDAP authentication fails (e.g., user not found in directory or server connection error), the function should not return false immediately. Instead, it should proceed to verify the credentials against the local database as a secondary check.