Bug 1572387

Summary: Documents for integrating LDAP or AD with External Auth have issues
Product: Red Hat CloudForms Management Engine Reporter: Jeffrey Cutter <jcutter>
Component: DocumentationAssignee: Dayle Parker <dayleparker>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Shriver <mshriver>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.9.0CC: brant.evans, hhudgeon, mpusater, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: auth:externalauth
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-09 06:28:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeffrey Cutter 2018-04-26 22:46:27 UTC 
Document URL: 

http://manageiq.org/docs/reference/latest/auth/active_directory
https://access.redhat.com/solutions/2751431

If I can be simple, these two docs are in need of review.  Recommend to try to follow them to configure external auth via LDAP.  Is there a reason they can't be consistent?

Some examples:

For both docs, the example for updating the sssd.conf file in both docs has issues in that it shows adding an [sssd] section when there is already one at the top of the file.

The ManageIQ doc updates perms and ownership on /etc/krb5.conf and the Red Hat doc does not.

For both docs, the changes to /etc/httpd/conf.d/manageiq-external-auth.conf are wrong.  Only the KrbServiceName Any line needs to be added.  The KrbAuthRealms line needs to be updated with the correct domain in place of example.com.

The Red Hat doc has you enable and restart sssd.  sssd is already enabled.

The Red Hat doc has you restart sssd earlier in the process.

The Red Hat doc has you enable httpd and the ManageIQ doc does not.  Should this be enabled?  I think evmserverd takes care of this automatically.  Is there something different when using external auth?

The Red Hat doc has a bunch more details after the step that restarts and enables httpd which are good.

Also - Does it make sense to have the appliance join the realm / domain?  Should it instead be able to do ldap lookups without joining the domain?  Some may not want to join it to the domain.
Comment 2 Brant Evans 2018-04-26 23:17:42 UTC 
The instructions for having to join the domain for the AD instructions are different than what is done if the miqldap_to_sssd tool is used to convert from the integrated LDAP auth to SSSD.

The miqldap_to_sssd tool does not cause the appliance to be joined to the AD domain.
Comment 3 Dayle Parker 2018-05-22 08:13:11 UTC 
Hi Jeff,

Thanks for raising this bug. The docs team is aware of the inconsistencies; I created a separate guide for 4.6 [1] and reorganized all the authentication topics there to make it easier to find for CloudForms users. I'd love any feedback if you have time to give it a quick look.

The Kbase solution content has been edited and pulled into this new title (in "4.2. Configuring Authentication with Active Directory"), so I think we should be OK to deprecate the article -- I'll take care of that.

I will also make the corrections you've mentioned, thanks for listing those!

As for the differences in the MIQ and CF docs, we are working on syncing the upstream/downstream auth content better, so I'll keep you updated on that effort. Please let me know if you spot anything else related to the authentication docs in the meantime.

Cheers,
Dayle

[1] https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/managing_authentication_for_cloudforms/
Comment 4 Dayle Parker 2019-01-09 06:28:17 UTC 
More work has happened on this downstream content over the last while in several bugs, in particular:

https://bugzilla.redhat.com/show_bug.cgi?id=1535271 - adds the Kbase content into the new Managing Authentication guide

https://bugzilla.redhat.com/show_bug.cgi?id=1591079 - tested and edited the Active Directory integration with SMEs from the customer support team. We also found in our testing that the docs were missing a key part of this procedure, now contained in "4.2.2. Mapping Active Directory Users to CloudForms User Roles". The content in the Red Hat documentation is up to date and should be referred to over other sources.

As a team, we decided it wasn't best to deprecate the Kbase article (https://access.redhat.com/solutions/2751431) as it's been well-trafficked and bookmarked over time. It is still available online, but I've added notes throughout referring readers to the most up-to-date, maintained version of this procedure, which is contained in the Managing Auth guide.

The source content upstream (ManageIQ) is maintained in a separate repo and structure --> https://github.com/ManageIQ/manageiq_docs/tree/master/auth . For any concerns, it would be best to raise a GitHub issue.

I've also made a few edits to the Managing Auth guide section to include points listed above. This is now live in the 4.6 and 4.7 (beta) docs:

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7-beta/html-single/managing_authentication_for_cloudforms/#external_active_directory

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/managing_authentication_for_cloudforms/#external_active_directory