Log On Options

Log On Method

LDAP

FogBugz can use your LDAP server (or ActiveDirectory) to authenticate your users.  Accounts will be created in FogBugz, but logging on will authenticate against the password in the LDAP server.

If you have existing accounts and you want to switch to LDAP, be sure that the name and email address in FogBugz match exactly with the name and email info on the LDAP server.

"Allow LDAP to create new accounts automatically" will allow any user with a valid LDAP account to log on to FogBugz.  (At the moment they log on, a FogBugz account will be created for them.)  If automatic LDAP account creation is not enabled, adding a new FogBugz user account requires going back to FogBugz authentication, turning off LDAP authentication, adding the new account (making sure that the name and email address match the LDAP server), and then turning LDAP authentication back on.

FogBugz

FogBugz also offers three log on methods with increasing levels of security.

Names in dropdown, no passwords

Provides no security. Anyone can log on to any account. This can be used in small organizations where you trust everyone, and are behind a firewall so there is no risk of public access to the FogBugz server.

Names in dropdown, with passwords

Very low security. Every user can have a password, but the list of users is shown in a dropdown box in the log on screen. This will allow anyone who can access the FogBugz server to determine a list of names of users. If some of those users had blank or easily-guessed passwords, a malicious user could break into FogBugz.

Type email address and password

Medium security. Every user has a password and must type their email address and password to log on.

Log on

Determines whether the "Remember me at this computer" option appears on the log on page.

"Remember Me" Allowed

Users, when logging on, can check the "Remember me at this computer" box which creates a cookie so that they are already logged on when they come back using the same browser

"Remember Me" Not Allowed

The "Remember me at this computer" checkbox will not appear, and users will be logged off when they close the browser or after a long idle period.

New User Control

Normally only administrators can create FogBugz accounts. By changing this setting to "Anybody can create an account" you will allow anyone who can access FogBugz to make their own account. This is useful if your FogBugz server is secure inside a firewall and you have a large number of potential users in your organization.

Fog Creek recommends the following best practices for security:

  1. Always use the "Type email address and password" setting.
  2. If your users are likely to be using public Internet terminals, use the "'Remember Me' Not Allowed" setting.
  3. If your FogBugz installation is on the public Internet, ensure that New User Control is set to "Only admins can create accounts."
  4. If your FogBugz installation is on the public Internet, follow your OS vendor's best practices for locking down the server, and always apply the latest patches.
  5. Configure the web server running FogBugz so it only allows access from a restricted set of IP addresses which you trust.
  6. Configure the web server running FogBugz to use SSL.
  7. Configure the web server running FogBugz to require a second level of authentication (browser-based authentication), in addition to the authentication that FogBugz itself provides.