Bug 1531039

Summary: [RFE] Add information about the information required to pull groups from an LDAP server
Product: Red Hat CloudForms Management Engine Reporter: Felix Dewaleyne <fdewaley>
Component: DocumentationAssignee: Dayle Parker <dayleparker>
Status: CLOSED CURRENTRELEASE QA Contact: Chris Budzilowicz <cbudzilo>
Severity: medium Docs Contact:
Priority: high    
Version: 5.8.0CC: adahms, cbudzilo, cpelland, dajohnso, dmetzger, fdewaley, jocarter, mpusater, mshriver, obarenbo
Target Milestone: GAKeywords: FutureFeature
Target Release: 5.9.7   
Hardware: All   
OS: All   
Whiteboard: auth:miqldap:externalauth
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-17 01:15:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1572700    

Description Felix Dewaleyne 2018-01-04 13:01:34 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/general_configuration/#ldap_settings

Section Number and Name: 4.1.4.2.2. Configuring LDAP Authentication

Describe the issue: we need to add mention of the requirements that the ldap schema is expected to meet for Cloudforms to correctly interpret group membership.

Suggestions for improvement: review with engineering which rfcs need to be implemented for more details, but memberof seems to be a first requirement to be met.


Additional information: 

as of the future, and with sssd (usage of is not part of the red hat documentation but is upstream and can be made to work), rfc2307 needs to be met (info from sbr-idm)
I would advocate to move the ldap configuration to a more accessible section entirely - right now it's not even possible to access it from the index - and to include sssd auth with it.

I reckon that the requirmenets to use miqldap with cloudforms should be added to the documentation as soon as possible and not just for 4.5 but also 4.2 and 4.6.
Comment 2 Dayle Parker 2019-01-11 06:14:36 UTC 
After reading the case history, it seems the important points are:

* docs need to mention how to add the user to the VMDB manually (done through the Access Control menu in the UI - currently the docs say 'through the console')
* user ID must match the user's name in lower case, group must already be configured
* LDAP group name should be used for CFME group name = this must be all in lower case in CFME to work
* Both SSSD and miqLDAP use rfc2307 for LDAP schema (the customer's LDAP entries must use this schema) - this means group members are listed by name in the member UID attribute

Authentication documentation has been moved to its own guide as of 4.6, with LDAP in a chapter of its own for better findability. The fix will appear in this guide to align with the strategy of encouraging customers to upgrade to the latest version of CloudForms.

If it's necessary to backport this fix to earlier versions of the docs, please let me know with a needinfo.
Comment 5 Dayle Parker 2019-01-17 01:15:31 UTC 
LDAP documentation (contained in the Managing Authentication guide) for CloudForms has now been updated:

* A note has been added about the RFC 2307 standard
* A link has been added to the steps to create a user (in the General Configuration guide) in the case users don't already exist
* Note about LDAP group name to be used for CFME group name, all in lower case -- previously was in a note in the Creating a User section of General Configuration, but is now also mentioned in Managing Authentication (section 2.1)

The update appears in the 4.6 guide, and will appear in the 4.7 release as well:

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/managing_authentication_for_cloudforms/#ldap_settings