MantisBT supports several authentication methods out of the box. In addition, there is work in progress relating to supporting authentication plug-ins. Once these are implemented, authentication against any protocol or repository of user names and passwords will be possible without having to touch MantisBT core code. It is important to note that MantisBT does not yet support hybrid authentication scenarios. For example, internal staff authenticating against LDAP while customers authenticate against the MantisBT database with MD5 hash. See $g_login_method in Global authentication parameters for more details about how to configure MantisBT to use one of these authentication techniques.

With Standard login method, MantisBT users are authenticated against records in the MantisBT database, where the passwords are stored as a hash. Note: while technically unlimited, the password's length is arbitrarily restricted to 1024 characters (PASSWORD_MAX_SIZE_BEFORE_HASH constant). Values for $g_login_method: MD5 is the default - and recommended - method Support for additional methods (e.g. SHA-1) could be added in the future

Value for $g_login_method: LDAP Authentication is made against an LDAP or Active Directory server. The LDAP parameters should be setup as explained in LDAP authentication parameters. An MD5 hash of the user's password will be stored in the database upon successful login, allowing fall-back to Standard Authentication when the LDAP server is not available. The user's ID and password is checked against the Directory; if the credentials are valid, then the user is allowed to login and their user account in MantisBT is created automatically.

Value for $g_login_method: BASIC_AUTH When MantisBT is configured to use basic auth, it automatically detects the logged in user and checks if they are already registered in MantisBT, if not, then a new account is automatically created for the username. The password length is limited to the size of the underlying database field (DB_FIELD_SIZE_PASSWORD constant), currently 32 characters.

Value for $g_login_method: HTTP_AUTH TODO The password length is limited to the size of the underlying database field (DB_FIELD_SIZE_PASSWORD constant), currently 32 characters.

The following methods of authentication are deprecated, and supported for backwards-compatibility reasons only. It is strongly recommended to update MantisBT installations relying on these to use standard authentication instead. Deprecated values for $g_login_method: CRYPT CRYPT_FULL_SALT PLAIN With CRYPT-based methods, the password's length is limited as per Standard Authentication. With PLAIN, its size is restricted as for Basic Authentication.