FogBugz 6.0 Online Help

Settings: Authentication

Log On Method

Choose from:

FogBugz Authentication

FogBugz stores users' passwords in encrypted form, and checks them itself.

In low-security environments (a few users on a LAN, where FogBugz is not available on the Internet), you can set up FogBugz not to require passwords. This is provided for backwards compatibility and is not recommended.

LDAP Authentication

FogBugz checks users' passwords against an LDAP directory, such as Windows Active Directory or any other LDAP server. This allows users to use the same password to log on to FogBugz as they use for other purposes such as logging on to their workstation or email.

LDAP Authentication is not available with FogBugz On Demand.

If you have existing accounts and you want to switch to LDAP, be sure that the name and email address in FogBugz match exactly with the name and email info on the LDAP server.

Checking Allow LDAP to create new accounts automatically allows any user with a valid LDAP account to log on to FogBugz. The first time they log on, a FogBugz account is created for them.

If you don't check Allow LDAP to create new accounts automatically, you must manually create new users in FogBugz. Make sure their full name and email address match exactly with the name and email info on the LDAP server. Those users will then be able to log on with their LDAP password.

Log On

Determines whether the "Remember me at this computer" option appears on the log on page. Without this, users are logged off when they close the browser or after a long idle period.

New User Control

Normally only administrators can create FogBugz accounts. By changing this setting to "Anybody can create a normal account" you will allow anyone who can access the FogBugz URL to make their own normal user account. This is useful if your FogBugz server is secure inside a firewall and you have a large number of potential users in your organization.

This setting can also be changed to "Anybody can create a community account", which will permit anyone to create a community user.

Community Users

Allows community users to register to access wikis and discussion groups. See Community users.

Fog Creek recommends the following best practices for security:

  1. Always use the "Type email address and password" setting.
  2. If your users are likely to be using public Internet terminals, use the "'Remember Me' Not Allowed" setting.
  3. If your FogBugz installation is on the public Internet, ensure that New User Control is set to "Only admins can create accounts."
  4. If your FogBugz installation is on the public Internet, follow your OS vendor's best practices for locking down the server, and always apply the latest patches.
  5. Configure the web server running FogBugz so it only allows access from a restricted set of IP addresses which you trust.
  6. Configure the web server running FogBugz to use SSL.
  7. Configure the web server running FogBugz to require a second level of authentication (browser-based authentication), in addition to the authentication that FogBugz itself provides.