In Bugzilla, how can I change the password used for LDAP integration if I can’t login?

Problem

For Bugzilla authentication, LDAP is configured as the first authentication method (or the only authentication method) and the password for the user used to connect to LDAP has expired or changed.

Attempts to login result in the following error:

Failed to bind to the LDAP server. The error message was: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece�

Resolution

The change must be made manually to the bugzilla/data/params file.

Using a text editor, open the params file located under the bugzilla website and under the data folder.

Note: On FreeBSD, this was located in /usr/local/etc/www/apache22/data/bugzilla/data/params

Look for the following line to configure this manually in text:

‘LDAPbinddn’ => ‘CN=Barneck\\, Jared,OU=Support,OU=YourOU,DC=Domain,DC=tld:P@sswd!’,

As you can see the password is in clear text.  You can change it with any text editor.

Why Bugzilla fails to authenticate a local user when LDAP integration is failing?

Problem

Authentication fails with the following error even when not using an LDAP user:

Failed to bind to the LDAP server. The error message was: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece�

To me this is a straight up bug.  I am not sure if it is reported.

Cause

Bugzilla will not even try authenticate a local user using another authentication method when LDAP integration is both list first and failing. If LDAP is the first option in the authentication methods, then if the credentials are invalid, it just stops the entire authentication process and returns this error:

Business/Impact

Low.  While this could disallow all logins to the bugzilla web page, including administrator logins.  A server administrator can make a manual change to one of configuration text files.

Resolution

Authentication is configured to use LDAP then DB.  It needs to be reversed, where it tries DB then LDAP.

There is a setting called user_verify_class in Bugzilla that allows you to select the different authentication methods you want to use.  There are two places to access this:

  1. Through the web administration
  2. Through the bugzilla/data/params file

Through Web Administration

Log in as an administrator and go to Administration | Parameters | User Authentication.

Then look for the user_verify_class setting.

Click on DB and click to move it up to the top of the list.

Through the bugzilla/data/params file

Using a text editor, open the params file located under the bugzilla website and under the data folder.

Look for the following line to configure this manually in text:

‘user_verify_class’ => ‘LDAP,DB’,

Change it to:

‘user_verify_class’ => ‘DB,LDAP’,

The user_verify_class setting

This setting allows for enabling and disabling authentication as well as providing the order for enabled authentication methods.

By default only DB is enabled.  But it can be configured so that both DB, and LDAP are enabled and they can be ordered so either is first.  However, LDAP should NOT be first.  The following setting should be used.

‘LDAP,DB’,

A Bugzilla authentication dillemma?

Let me tell you the dilemma I just faced and resolved.

I have a bugzilla installation that is configured to use LDAP for authentication.  It is configured to fall back to DB authentication if LDAP isn’t available.

I have both a local user and a domain user that are admins just to resolve this situation where I can’t login as a domain user.  I can login as the local user and make the change I need.

First, let me tell you that this is a test/educational server for learning so I “fiddle” with it. Its not in production.

Well, my password changed, as commonly happens every 90 days, and I went to update the password using the local account.

No matter what I tried, I couldn’t login with the local account. My password has changed a few times and this had never been a problem.

So this is my dillemma.  I can’t login to get to the screen to update my password.

Well, I learned a few things due to this problem and I plan to post on them:

  1. In Bugzilla, how can I change the password used for LDAP integration if I can’t login?
  2. Why Bugzilla fails to authenticate a local user when LDAP integration is failing?

I  plan to make a post on both and I will link to them here when they are done.