On a fresh install of Bugzilla 5.0.6 with Apache 2.4.41 on Ubuntu 20 I'd like to map our domain users to our existing Bugzilla accounts. (We're migrating from an earlier version of Bugzilla but on Apache with Windows, so it's almost a new install except for the database migration.)
To do this I've skipped Bugzilla's LDAP settings in favor of using the Apache integration with authnz, which is what we did a long time ago with the original setup. (To be fair, Apache on Windows uses a different module for this, SSPI). We also have this setup working on other servers (e.g., a wiki). My LDAP settings look like this:
<Location "/">
AuthName "Bugzilla user login (WHL user/pwd)"
AuthType Basic
AuthBasicProvider ldap
LDAPReferrals Off
# If desired add port 389 or 3268
AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName?sub?(objectClass=*)
AuthLDAPBindDN "CN=name,OU=accounts,DC=org1,DC=org2"
AuthLDAPBindPassword "xxxpwdxxx"
Require valid-user
</Location>
I think it's close to working for a few reasons:
This would point to a problem with the AuthLDAPUrl, but no combinations I've found so far have worked. Looking for any suggestions to fix this up.
Or if this isn't the way to do it and the preferred way is to use Bugzilla's ldap authentication, please let me know.
As I suspected the solution was close, but since it wasn't horseshoes or hand grenades here we are. It turns out this string
AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName?sub?(objectClass=*)
needed an additional lookup, which was the rather important userPrincipalName (email), a la
AuthLDAPUrl ldap://ldapserver/dc=org1,dc=org2?sAMAccountName,userPrincipalName?sub?(objectClass=*)
In addition, this line
AuthLDAPRemoteUserAttribute userPrincipalName
instructed Apache to put that email address in the X-Remote-User http header. et voila, it all works.