diff --git a/config_defaults_inc.php b/config_defaults_inc.php index cc770a38bd..cbf21ca653 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -1739,8 +1739,10 @@ /** * Login authentication method. Must be one of - * MD5, LDAP, BASIC_AUTH or HTTP_AUTH. You can simply change this at - * will. MantisBT will try to figure out how the passwords were encrypted. + * MD5, LDAP, BASIC_AUTH or HTTP_AUTH. + * Note: you may not be able to easily switch encryption methods, so this + * should be carefully chosen at install time. However, MantisBT will attempt + * to "fall back" to older methods if possible. * @global int $g_login_method */ $g_login_method = MD5; diff --git a/docbook/Admin_Guide/en-US/Authentication.xml b/docbook/Admin_Guide/en-US/Authentication.xml index dd22ad494a..0597950f83 100644 --- a/docbook/Admin_Guide/en-US/Authentication.xml +++ b/docbook/Admin_Guide/en-US/Authentication.xml @@ -1,4 +1,4 @@ - + %BOOK_ENTITIES; @@ -6,9 +6,9 @@ Authentication - MantisBT supports several authentication techniques out of the box. In addition, there is work in progress relating to supporting authentication plug-ins. Once authentication plug-ins are implemented, then authentication against any protocol or repository of user names and passwords can be done without having to touch MantisBT core code. + MantisBT supports several authentication methods out of the box. In addition, there is work in progress relating to supporting authentication plug-ins. Once these are implemented, authentication against any protocol or repository of user names and passwords will be possible without having to touch MantisBT core code. - Although MantisBT supports multiple authentication techniques, it is important to note that MantisBT doesn't yet support hybrid authentication scenarios. For example, internal staff authentications against LDAP where customer authentications against MantisBT database. + It is important to note that MantisBT does not yet support hybrid authentication scenarios. For example, internal staff authenticating against LDAP while customers authenticate against the MantisBT database with MD5 hash. See $g_login_method in for more details about how to configure MantisBT to use one of these @@ -17,27 +17,31 @@
Standard Authentication - Standard, or native, authentication is where MantisBT users are authenticated against user records in the MantisBT database. The passwords are stored in the database in one of several formats: + With Standard login method, MantisBT users are authenticated against records in the MantisBT database, where the passwords are stored as a hash. + Note: while technically unlimited, the password's length is arbitrarily restricted to 1024 characters (PASSWORD_MAX_SIZE_BEFORE_HASH constant). + Values for $g_login_method: - MD5 - This is default and recommended approach. See MD5 topic on Wikipedia for more details. - CRYPT - deprecated. - CRYPT_FULL_SALT - deprecated. - PLAIN - deprecated. + MD5 is the default - and recommended - method + Support for additional methods (e.g. SHA-1) could be added in the future
-
- HTTP_AUTH +
+ Basic Authentication + Value for $g_login_method: BASIC_AUTH When MantisBT is configured to use basic auth, it automatically detects the logged in user and checks if they are already registered in MantisBT, if not, then a new account is automatically created for the username. + The password length is limited to the size of the underlying database field (DB_FIELD_SIZE_PASSWORD constant), currently 32 characters.
-
- BASIC_AUTH +
+ HTTP Authentication + Value for $g_login_method: HTTP_AUTH TODO + The password length is limited to the size of the underlying database field (DB_FIELD_SIZE_PASSWORD constant), currently 32 characters.
@@ -93,4 +97,18 @@
+
+ Deprecated authentication methods + + The following methods of authentication are deprecated, and supported for backwards-compatibility reasons only. It is strongly recommended to update MantisBT installations relying on these to use instead. + Deprecated values for $g_login_method: + + CRYPT + CRYPT_FULL_SALT + PLAIN + + With CRYPT-based methods, the password's length is limited as per Standard Authentication. With PLAIN, its size is restricted as for Basic Authentication. + +
+ diff --git a/docbook/Admin_Guide/en-US/Configuration.xml b/docbook/Admin_Guide/en-US/Configuration.xml index 820698493f..30da200708 100644 --- a/docbook/Admin_Guide/en-US/Configuration.xml +++ b/docbook/Admin_Guide/en-US/Configuration.xml @@ -1,4 +1,4 @@ - + %BOOK_ENTITIES; @@ -1681,16 +1681,10 @@ (defaults to MD5): - MD5 - user's password is stored as - a hash in the database + MD5 - user's password is stored as a hash in the database - LDAP - authenticates against an LDAP - (or Active Directory) server - - - PLAIN - password is stored in plain, - unencrypted text in the database + LDAP - authenticates against an LDAP (or Active Directory) server BASIC_AUTH @@ -1698,15 +1692,23 @@ HTTP_AUTH + + In addition, the following deprecated values are supported for backwards-compatibility, and should no longer be used: + + + PLAIN - password is stored in plain, unencrypted text in the database + + + CRYPT + + + CRYPT_FULL_SALT + - CRYPT and CRYPT_FULL_SALT authentication methods - are deprecated and should not be used. + Note: you may not be able to easily switch encryption methods, so this should be carefully chosen at install time. + However, MantisBT will attempt to "fall back" to older methods if possible. - Note: you will not be able to easily convert - between encryption methods, so this needs to be - carefully chosen at install time. However, MantisBT - will attempt to "fall back" to older methods.