Bug 616253

Summary: Need additional documentation on how ldap and rhq authorization should co-exist.
Product: [Other] RHQ Project Reporter: Simeon Pinder <spinder>
Component: DocumentationAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dlackey, mhideo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-11 01:34:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simeon Pinder 2010-07-19 22:32:03 UTC 
Description of problem:
The LDAP authz mechanism introduced in 2.4 leverages the existing rhq authz model and there are confusing scenarios when both rhq and ldap try to manage the same user accounts.  This needs to be documented differently to dispel some of this confusion.  

Version-Release number of selected component (if applicable):


How reproducible:
N/A

Steps to Reproduce:
1.N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
Comment 1 Charles Crouch 2010-07-20 01:24:19 UTC 
In particular we need to address the case of people migrating from using the rhq db for storing users to purely using ldap (for authentication and authorization), i.e. to avoid getting themselves in the issues described  here https://bugzilla.redhat.com/show_bug.cgi?id=595482
Comment 2 Simeon Pinder 2010-07-21 21:52:43 UTC 
Detailed document about Using RHQ and LDAP authorization models together:
http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models

Mazz suggested simply applying the following to the docs and I agree:

"If you are using LDAP *authorization*, never add or remove users from
the LDAP-specific roles. The assigned users will be automatically
synchronized for you."

Deon should be making this change I think.
Comment 3 Deon Ballard 2010-08-02 15:52:48 UTC 
I merged the existing LDAP authorization and authentication sections into one overview section, and then I added a small bit about planning how to manage the users/roles with LDAP and JON data sources. I even made a graphic for it (oversized, but I'll fix that). 

http://www.redhat.com/docs/en-US/JBoss_ON/2.4/admin/html/planning-user-management.html
Comment 4 Corey Welton 2010-08-18 19:43:18 UTC 
Verified.