CLASS="section" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" >

4.2. Optional Additional Configuration

4.2.1. Dependency Charts

As well as the text-based dependency graphs, Bugzilla also supports dependency graphing, using a package called 'dot'. Exactly how this works is controlled by the 'webdotbase' parameter, which can have one of three values:

  1. A complete file path to the command 'dot' (part of GraphViz) will generate the graphs locally

  2. A URL prefix pointing to an installation of the webdot package will generate the graphs remotely

  3. A blank value will disable dependency graphing.

So, to get this working, install GraphViz. If you do that, you need to enable server-side image maps in Apache. Alternatively, you could set up a webdot server, or use the AT&T public webdot server (the default for the webdotbase param). Note that AT&T's server won't work if Bugzilla is only accessible using HTTPS.

4.2.2. Bug Graphs

As long as you installed the GD and Graph::Base Perl modules you might as well turn on the nifty Bugzilla bug reporting graphs.

Add a cron entry like this to run collectstats.pl daily at 5 after midnight:

bash# crontab -e
5 0 * * * cd <your-bugzilla-directory> ; ./collectstats.pl

After two days have passed you'll be able to view bug graphs from the Bug Reports page.

4.2.3. The Whining Cron

By now you have a fully functional Bugzilla, but what good are bugs if they're not annoying? To help make those bugs more annoying you can set up Bugzilla's automatic whining system to complain at engineers which leave their bugs in the NEW state without triaging them.

This can be done by adding the following command as a daily crontab entry (for help on that see that crontab man page):

cd <your-bugzilla-directory> ; ./whineatnews.pl

Tip

Depending on your system, crontab may have several manpages. The following command should lead you to the most useful page for this purpose:
man 5 crontab

4.2.4. LDAP Authentication

Warning

This information on using the LDAP authentication options with Bugzilla is old, and the authors do not know of anyone who has tested it. Approach with caution.

The existing authentication scheme for Bugzilla uses email addresses as the primary user ID, and a password to authenticate that user. All places within Bugzilla where you need to deal with user ID (e.g assigning a bug) use the email address. The LDAP authentication builds on top of this scheme, rather than replacing it. The initial log in is done with a username and password for the LDAP directory. This then fetches the email address from LDAP and authenticates seamlessly in the standard Bugzilla authentication scheme using this email address. If an account for this address already exists in your Bugzilla system, it will log in to that account. If no account for that email address exists, one is created at the time of login. (In this case, Bugzilla will attempt to use the "displayName" or "cn" attribute to determine the user's full name.) After authentication, all other user-related tasks are still handled by email address, not LDAP username. You still assign bugs by email address, query on users by email address, etc.

Using LDAP for Bugzilla authentication requires the Mozilla::LDAP (aka PerLDAP) Perl module. The Mozilla::LDAP module in turn requires Netscape's Directory SDK for C. After you have installed the SDK, then install the PerLDAP module. Mozilla::LDAP and the Directory SDK for C are both available for download from mozilla.org.

Set the Param 'useLDAP' to "On" **only** if you will be using an LDAP directory for authentication. Be very careful when setting up this parameter; if you set LDAP authentication, but do not have a valid LDAP directory set up, you will not be able to log back in to Bugzilla once you log out. (If this happens, you can get back in by manually editing the data/params file, and setting useLDAP back to 0.)

If using LDAP, you must set the three additional parameters: Set LDAPserver to the name (and optionally port) of your LDAP server. If no port is specified, it defaults to the default port of 389. (e.g "ldap.mycompany.com" or "ldap.mycompany.com:1234") Set LDAPBaseDN to the base DN for searching for users in your LDAP directory. (e.g. "ou=People,o=MyCompany") uids must be unique under the DN specified here. Set LDAPmailattribute to the name of the attribute in your LDAP directory which contains the primary email address. On most directory servers available, this is "mail", but you may need to change this.

4.2.5. Preventing untrusted Bugzilla content from executing malicious Javascript code

It is possible for a Bugzilla to execute malicious Javascript code. Due to internationalization concerns, we are unable to incorporate the code changes necessary to fulfill the CERT advisory requirements mentioned in http://www.cet.org/tech_tips/malicious_code_mitigation.html/#3. Executing the following code snippet from a UNIX command shell will rectify the problem if your Bugzilla installation is intended for an English-speaking audience. As always, be sure your Bugzilla installation has a good backup before making changes, and I recommend you understand what the script is doing before executing it.

bash# perl -pi -e "s/Content-Type\: text\/html/Content-Type\: text\/html\; charset=ISO-8859-1/i" *.cgi *.pl
        

All this one-liner command does is search for all instances of "Content-type: text/html" and replaces it with "Content-Type: text/html; charset=ISO-8859-1" . This specification prevents possible Javascript attacks on the browser, and is suggested for all English-speaking sites. For non-English-speaking Bugzilla sites, I suggest changing "ISO-8859-1", above, to "UTF-8".

Note: using <meta> tags to set the charset is not recommended, as there's a bug in Netscape 4.x which causes pages marked up in this way to load twice.

4.2.6. .htaccess files and security

To enhance the security of your Bugzilla installation, Bugzilla's checksetup.pl script will generate .htaccess files which the Apache webserver can use to restrict access to the bugzilla data files. These .htaccess files will not work with Apache 1.2.x - but this has security holes, so you shouldn't be using it anyway.

Note

If you are using an alternate provider of webdot services for graphing (as described when viewing editparams.cgi in your web browser), you will need to change the ip address in data/webdot/.htaccess to the ip address of the webdot server that you are using.

The default .htaccess file may not provide adequate access restrictions, depending on your web server configuration. Be sure to check the <Directory> entries for your Bugzilla directory so that the .htaccess file is allowed to override web server defaults. For instance, let's assume your installation of Bugzilla is installed to /usr/local/bugzilla . You should have this <Directory> entry in your httpd.conf file:


  <Directory /usr/local/bugzilla/>
  Options +FollowSymLinks +Indexes +Includes +ExecCGI
  AllowOverride All
</Directory>

The important part above is "AllowOverride All" . Without that, the .htaccess file created by checksetup.pl will not have sufficient permissions to protect your Bugzilla installation.

If you are using Internet Information Server (IIS) or another web server which does not observe .htaccess conventions, you can disable their creation by editing localconfig and setting the $create_htaccess variable to 0.

4.2.7. mod_throttle and Security

It is possible for a user, by mistake or on purpose, to access the database many times in a row which can result in very slow access speeds for other users. If your Bugzilla installation is experiencing this problem , you may install the Apache module mod_throttle which can limit connections by ip-address. You may download this module at http://www.snert.com/Software/Throttle/. Follow the instructions to install into your Apache install. This module only functions with the Apache web server! You may use the ThrottleClientIP command provided by this module to accomplish this goal. See the Module Instructions for more information.