Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Mozilla/mozilla/webtools/bugzilla/docs/html/extraconfig.html
gerv%gerv.net a1ca8312b7 Massive rearrangement of the installation section. Hopefully it makes sense now. 
git-svn-id: svn://10.0.0.236/trunk@151798 18797224-902f-48f8-a5cc-f745e15eee43
2004-01-24 18:31:00 +00:00

742 lines
15 KiB
HTML
Raw Blame History

<HTML
><HEAD
><TITLE
>Optional Additional Configuration</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="The Bugzilla Guide - 2.17.7
Development Release"
HREF="index.html"><LINK
REL="UP"
TITLE="Installing Bugzilla"
HREF="installing-bugzilla.html"><LINK
REL="PREVIOUS"
TITLE="Configuration"
HREF="configuration.html"><LINK
REL="NEXT"
TITLE="OS-Specific Installation Notes"
HREF="os-specific.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Bugzilla Guide - 2.17.7
Development Release</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="configuration.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 2. Installing Bugzilla</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="os-specific.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="extraconfig"
></A
>2.3. Optional Additional Configuration</H1
><P
>&#13; Bugzilla has a number of optional features. This section describes how
to configure or enable them.
</P
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN584"
></A
>2.3.1. Bug Graphs</H2
><P
>If you have installed the necessary Perl modules you
can start collecting statistics for the nifty Bugzilla
graphs.</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
><TT
CLASS="prompt"
>bash#</TT
> <B
CLASS="command"
>crontab -e</B
></PRE
></FONT
></TD
></TR
></TABLE
><P
>&#13; This should bring up the crontab file in your editor.
Add a cron entry like this to run
<TT
CLASS="filename"
>collectstats.pl</TT
>
daily at 5 after midnight:
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>5 0 * * * cd &#60;your-bugzilla-directory&#62; ; ./collectstats.pl</PRE
></FONT
></TD
></TR
></TABLE
><P
>After two days have passed you'll be able to view bug graphs from
the Reports page.</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN594"
></A
>2.3.2. Dependency Charts</H2
><P
>As well as the text-based dependency trees, Bugzilla also
supports a graphical view of dependency relationships, using a
package called 'dot'.
Exactly how this works is controlled by the 'webdotbase' parameter,
which can have one of three values:
</P
><P
>&#13; <P
></P
><OL
TYPE="1"
><LI
><P
>&#13; A complete file path to the command 'dot' (part of
<A
HREF="http://www.graphviz.org/"
TARGET="_top"
>GraphViz</A
>)
will generate the graphs locally
</P
></LI
><LI
><P
>&#13; A URL prefix pointing to an installation of the webdot package will
generate the graphs remotely
</P
></LI
><LI
><P
>&#13; A blank value will disable dependency graphing.
</P
></LI
></OL
>
</P
><P
>The easiest way to get this working is to install
<A
HREF="http://www.graphviz.org/"
TARGET="_top"
>GraphViz</A
>. If you
do that, you need to
<A
HREF="http://httpd.apache.org/docs/mod/mod_imap.html"
TARGET="_top"
>enable
server-side image maps</A
> in Apache.
Alternatively, you could set up a webdot server, or use the AT&#38;T
public webdot server. This is the default for the webdotbase param,
but it's often overloaded and slow. Note that AT&#38;T's server
won't work
if Bugzilla is only accessible using HARTS.
<EM
>Editor's note: What the heck is HARTS? Google doesn't know...
</EM
>
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="AEN610"
></A
>2.3.3. The Whining Cron</H2
><P
>What good are
bugs if they're not annoying? To help make them more so you
can set up Bugzilla's automatic whining system to complain at engineers
which leave their bugs in the NEW or REOPENED state without triaging them.
</P
><P
>&#13;
This can be done by
adding the following command as a daily crontab entry, in the same manner
as explained above for bug graphs. This example runs it at 12.55am.
</P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>55 0 * * * cd &#60;your-bugzilla-directory&#62; ; ./whineatnews.pl</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="patch-viewer"
></A
>2.3.4. Patch Viewer</H2
><P
>&#13; Patch Viewer is the engine behind Bugzilla's graphical display of
code patches. You can integrate this with copies of the
<TT
CLASS="filename"
>cvs</TT
>, <TT
CLASS="filename"
>lxr</TT
> and
<TT
CLASS="filename"
>bonsai</TT
> tools if you have them, by giving
the locations of your installation of these tools in
<TT
CLASS="filename"
>editparams.cgi</TT
>.
</P
><P
>&#13; Patch Viewer also optionally will use the
<TT
CLASS="filename"
>cvs</TT
>, <TT
CLASS="filename"
>diff</TT
> and
<TT
CLASS="filename"
>interdiff</TT
>
command-line utilities if they exist on the system.
Interdiff can be obtained from
<A
HREF="http://cyberelk.net/tim/patchutils/"
TARGET="_top"
>http://cyberelk.net/tim/patchutils/</A
>.
If these programs are not in the system path, you can configure
their locations in <TT
CLASS="filename"
>localconfig</TT
>.
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="bzldap"
></A
>2.3.5. LDAP Authentication</H2
><P
>LDAP authentication is a module for Bugzilla's plugin
authentication architecture.
</P
><P
>&#13; The existing authentication
scheme for Bugzilla uses email addresses as the primary user ID, and a
password to authenticate that user. All places within Bugzilla where
you need to deal with user ID (e.g assigning a bug) use the email
address. The LDAP authentication builds on top of this scheme, rather
than replacing it. The initial log in is done with a username and
password for the LDAP directory. This then fetches the email address
from LDAP and authenticates seamlessly in the standard Bugzilla
authentication scheme using this email address. If an account for this
address already exists in your Bugzilla system, it will log in to that
account. If no account for that email address exists, one is created at
the time of login. (In this case, Bugzilla will attempt to use the
"displayName" or "cn" attribute to determine the user's full name.)
After authentication, all other user-related tasks are still handled by
email address, not LDAP username. You still assign bugs by email
address, query on users by email address, etc.
</P
><DIV
CLASS="caution"
><P
></P
><TABLE
CLASS="caution"
WIDTH="100%"
BORDER="0"
><TR
><TD
WIDTH="25"
ALIGN="CENTER"
VALIGN="TOP"
><IMG
SRC="../images/caution.gif"
HSPACE="5"
ALT="Caution"></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
><P
>Because the Bugzilla account is not created until the first time
a user logs in, a user who has not yet logged is unknown to Bugzilla.
This means they cannot be used as an assignee or QA contact (default or
otherwise), added to any cc list, or any other such operation. One
possible workaround is the <TT
CLASS="filename"
>bugzilla_ldapsync.rb</TT
>
script in the
<A
HREF="glossary.html#gloss-contrib"
><I
CLASS="glossterm"
><TT
CLASS="filename"
>contrib</TT
></I
></A
> directory. Another possible solution is fixing
<A
HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=201069"
TARGET="_top"
>bug
201069</A
>.
</P
></TD
></TR
></TABLE
></DIV
><P
>Parameters required to use LDAP Authentication:</P
><P
></P
><DIV
CLASS="variablelist"
><DL
><DT
><A
NAME="param-loginmethod"
></A
>loginmethod</DT
><DD
><P
>This parameter should be set to <SPAN
CLASS="QUOTE"
>"LDAP"</SPAN
>
<EM
>only</EM
> if you will be using an LDAP directory
for authentication. If you set this param to <SPAN
CLASS="QUOTE"
>"LDAP"</SPAN
> but
fail to set up the other parameters listed below you will not be
able to log back in to Bugzilla one you log out. If this happens
to you, you will need to manually edit
<TT
CLASS="filename"
>data/params</TT
> and set loginmethod to
<SPAN
CLASS="QUOTE"
>"DB"</SPAN
>.
</P
></DD
><DT
><A
NAME="param-LDAPserver"
></A
>LDAPserver</DT
><DD
><P
>This parameter should be set to the name (and optionally the
port) of your LDAP server. If no port is specified, it assumes
the default LDAP port of 389.
</P
><P
>Ex. <SPAN
CLASS="QUOTE"
>"ldap.company.com"</SPAN
>
or <SPAN
CLASS="QUOTE"
>"ldap.company.com:3268"</SPAN
>
</P
></DD
><DT
><A
NAME="param-LDAPbinddn"
></A
>LDAPbinddn [Optional]</DT
><DD
><P
>Some LDAP servers will not allow an anonymous bind to search
the directory. If this is the case with your configuration you
should set the LDAPbinddn parameter to the user account Bugzilla
should use instead of the anonymous bind.
</P
><P
>Ex. <SPAN
CLASS="QUOTE"
>"cn=default,cn=user:password"</SPAN
></P
></DD
><DT
><A
NAME="param-LDAPBaseDN"
></A
>LDAPBaseDN</DT
><DD
><P
>The LDAPBaseDN parameter should be set to the location in
your LDAP tree that you would like to search for email addresses.
Your uids should be unique under the DN specified here.
</P
><P
>Ex. <SPAN
CLASS="QUOTE"
>"ou=People,o=Company"</SPAN
></P
></DD
><DT
><A
NAME="param-LDAPuidattribute"
></A
>LDAPuidattribute</DT
><DD
><P
>The LDAPuidattribute parameter should be set to the attribute
which contains the unique UID of your users. The value retrieved
from this attribute will be used when attempting to bind as the
user to confirm their password.
</P
><P
>Ex. <SPAN
CLASS="QUOTE"
>"uid"</SPAN
></P
></DD
><DT
><A
NAME="param-LDAPmailattribute"
></A
>LDAPmailattribute</DT
><DD
><P
>The LDAPmailattribute parameter should be the name of the
attribute which contains the email address your users will enter
into the Bugzilla login boxes.
</P
><P
>Ex. <SPAN
CLASS="QUOTE"
>"mail"</SPAN
></P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="content-type"
></A
>2.3.6. Prevent users injecting malicious
Javascript</H2
><P
>It is possible for a Bugzilla user to take advantage of character
set encoding ambiguities to inject HTML into Bugzilla comments. This
could include malicious scripts.
Due to internationalization concerns, we are unable to
incorporate by default the code changes suggested by
<A
HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"
TARGET="_top"
>&#13; the CERT advisory</A
> on this issue.
If your installation is for an English speaking audience only, making the
change below will prevent this problem.
</P
><P
>Simply locate the following line in
<TT
CLASS="filename"
>Bugzilla/CGI.pm</TT
>:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>$self-&#62;charset('');</PRE
></FONT
></TD
></TR
></TABLE
>
and change it to:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="programlisting"
>$self-&#62;charset('ISO-8859-1');</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="mod-throttle"
></A
>2.3.7. <TT
CLASS="filename"
>mod_throttle</TT
></H2
><P
>It is possible for a user, by mistake or on purpose, to access
the database many times in a row which can result in very slow access
speeds for other users. If your Bugzilla installation is experiencing
this problem, you may install the Apache module
<TT
CLASS="filename"
>mod_throttle</TT
>
which can limit connections by IP address. You may download this module
at
<A
HREF="http://www.snert.com/Software/mod_throttle/"
TARGET="_top"
>http://www.snert.com/Software/mod_throttle/</A
>.
Follow the instructions to install into your Apache install.
<EM
>This module only functions with the Apache web
server!</EM
>
The command you need is
<B
CLASS="command"
>ThrottleClientIP</B
>. See the
<A
HREF="http://www.snert.com/Software/mod_throttle/"
TARGET="_top"
>documentation</A
>
for more information.</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-networking"
></A
>2.3.8. TCP/IP Ports</H2
><P
>A single-box Bugzilla only requires port 80, plus port 25 if
you are using the optional email interface. You should firewall all
other ports and/or disable services listening on them.
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="security-daemon"
></A
>2.3.9. Daemon Accounts</H2
><P
>Many daemons, such as Apache's httpd and MySQL's mysqld default to
running as either <SPAN
CLASS="QUOTE"
>"root"</SPAN
> or <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
>. Running
as <SPAN
CLASS="QUOTE"
>"root"</SPAN
> introduces obvious security problems, but the
problems introduced by running everything as <SPAN
CLASS="QUOTE"
>"nobody"</SPAN
> may
not be so obvious. Basically, if you're running every daemon as
<SPAN
CLASS="QUOTE"
>"nobody"</SPAN
> and one of them gets compromised, they all get
compromised. For this reason it is recommended that you create a user
account for each daemon.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="configuration.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="os-specific.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Configuration</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="installing-bugzilla.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>OS-Specific Installation Notes</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink