I have been having problems configuring the authentication for MantisBT. Currently, I am trying to run 1.1.8 on a RHEL5/php-5.1.x system.
Ideally, I'l like to use http or basic authentication (I think). I'm a little uncertain because I've had trouble finding enough details in the documentation to be sure. I've also experimented with LDAP authentication against my Active Directory, though this is not my preferred solution. So far, I've been unable to get any of these to work properly.
For BASIC_AUTH, I've simply set
$g_login_method = BASIC_AUTH;
In this mode, I also configure apache to auth the user (against LDAP) using mod_aythnz_ldap. This works fine. After entering my username/password, I am presented with the MantisBT login page?
* Any attempt to authenticate again is unsuccessful.
* If I go through the request new account thing, and follow the link back to the system, I am logged in fine and can do stuff
* Subsequent logout/login always fails after the initial login after account creation. I can auth via apache as expected, but
I am still presented with the MantisBT login page, and no combination of username/password is successful. Errors returned indicate
the username/password is bad.
For LDAP, I configure the system to auth directly to my ldap server like:
--- LDAP Authentication Configuration ---
$g_login_method = LDAP;
$g_ldap_server = "ldaps://<my servers FQDN>";
$g_ldap_port = 636;
$g_ldap_root_dn = "CN=Users, DC=<MyDomain>, DC=<MyTLD>";
$g_ldap_bind_dn = "CN=ldapread, OU=Users, OU=<OU1>, OU=<OU2>, DC=<MyDomain>, DC=<MyTLD>";
$g_ldap_bind_passwd = "<MySvcPasswd>";
#$g_use_ldap_email = YES;
$g_ldap_follow_referrals = OFF;
$g_ldap_protocol_version = 3;
With this configuration, I also disable the apache authentication. Then, I am immediately presented with the MantisBT login.
No username/password allows me to login. Again, if I go through the request new account process, after following the link back, I
am logged in. However, if I log out and try to come back, it continues to fail to authenticate.
To check my LDAP connection, I tried changing the ldap service account name to an incorrect one. IN this case, accessing the login page gives me an error to the effect that the LDAP connection failed. I've tried the same experiments with ldap and port 389 (instead of ldaps and 636).
I've also tried disabling the fancier auth methods and logged in with the admin account. I then created an account entry for an account where the username matches one in Active Directory, then attempting to login (using LDAP and BASUC_AUTH), with similar results -- I am always presented with the MantisBT login page, through which I can never authenticate.
I started out with MantisBT-1.2.1. After the same fiddling described above, I noticed the dependence on PHP-5.2.x. At that point, I abandoned that installation and went back to 1.1.8 since it was purportedly supported by the PHP I am running. The results have been identical for both versions.
I can't help but think I am missing something obvious. BUt so far, it has eluded me. I have a couple of days into this at this point, and had hoped configuring the authentication woudl be asimple matter. I've done it for numerous other web applications and systems, but this one has me stumped.
Does anyone see what I'm missing here? The product looks great and I'm anxious to deliver it to a group of interested users, but I've got to get this part working first (obviously).
Thanks for any assistance,
Marty Wise
Jefferson Lab
Newport News, Virginia, US
Authentication Configuration
Moderators: Developer, Contributor
Re: Authentication Configuration
OK. So, I'm an idiot. After lots of re-reading and compairing my config to others, it finally dawned on me that in the 1.1.8 config I prepared, I didn't specify the $g_ldap_uid_field. Once I set this to sAMAccountName (typical for AD-style LDAP auth), things began working. At least for the account that I had previously created (using BASIC_AUTH, and following the request new account procedure).
When I tried to login with another AD account, this failed with the disabled/blocked/wrong password message. I used the other (admin) account to "Create New Account" for the second user. This still produced the disabled/blocked/worng message as before.
I thought I would go through the signup new account process as before. Doing so, requesting an account with a username that matches an active directory account, sends me the usual enrollment email, etc. When I clink on the included link, it takes me to mantis and gives me the edit account page to allow me to enter my real name, etc. All looks good. Logging out and trying to log back in (within a single Firefox session) initially gave me problems, producing the disabled/blocked/wrong page. I cleared my browser history (cookies, etc). and tried again and it worked like a charm. In light of this, I'm going to go back and repeat some of my earlier tests, being more careful about clearing old (wrong) session data, etc. and see if I see any improvement.
Marty
When I tried to login with another AD account, this failed with the disabled/blocked/wrong password message. I used the other (admin) account to "Create New Account" for the second user. This still produced the disabled/blocked/worng message as before.
I thought I would go through the signup new account process as before. Doing so, requesting an account with a username that matches an active directory account, sends me the usual enrollment email, etc. When I clink on the included link, it takes me to mantis and gives me the edit account page to allow me to enter my real name, etc. All looks good. Logging out and trying to log back in (within a single Firefox session) initially gave me problems, producing the disabled/blocked/wrong page. I cleared my browser history (cookies, etc). and tried again and it worked like a charm. In light of this, I'm going to go back and repeat some of my earlier tests, being more careful about clearing old (wrong) session data, etc. and see if I see any improvement.
Marty