Bug 1475891 - [Authentication] Rename Get Roles from Home Forest
Summary: [Authentication] Rename Get Roles from Home Forest
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Mike Shriver
Whiteboard: auth:miqldap:ad
Depends On:
TreeView+ depends on / blocked
Reported: 2017-07-27 14:40 UTC by Tsai Li Ming
Modified: 2019-02-07 23:02 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-02-07 23:02:39 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:02:48 UTC

Description Tsai Li Ming 2017-07-27 14:40:41 UTC
Description of problem:
It is confusing when there are 2 similar options:
Get User Groups from LDAP ==> LDAP
Get Roles from Home Forest ==> This only applies to AD

What happens if the user checks both? 

Is this really "Get Roles from Home Forest" or "Get User Groups from Home Forest"?

Are both check boxes mutually exclusive? Can we improve the UI? 

Documentation is confusing too:
1. Check Get User Groups from LDAP to retrieve the user’s group membership from LDAP. This is used for mapping a user’s authorization to a Red Hat CloudForms role. This requires group names on the LDAP server to match Red Hat CloudForms group names.

2. Check Get Roles from Home Forest to use the LDAP roles from the LDAP user’s home forest. This will allow you to discover groups on your LDAP server and create Red Hat CloudForms groups based on your LDAP server’s group names. Any user logging in will be assigned to that group. This option is only displayed when Get User Groups from LDAP is checked.

Version-Release number of selected component (if applicable):
CF 4.5

Comment 4 Matt Pusateri 2017-09-06 14:15:20 UTC
Actually, CFME, uses the term "Forest" to mean another LDAP domain, regardless of LDAP provider and it's not specific to AD. Or at least that is what Development has told me.  I want to open a bug to reword the use of the term "Forest"  Also in this check box seems to have disappeared, which I may be writing a bug on as soon as I debug it more.

Comment 5 Joe Vlcek 2017-11-15 15:05:18 UTC
The term "Forest", although a bit misleading to AD purists, was likely chosen initially due to the similarity to the functionality.

Because MiqLdap (mode: LDAPs) is being deprecated the auth team does not see a lot of value from updating the long standing wording used by the UI.

Comment 6 Dayle Parker 2018-08-04 13:00:57 UTC
Hi all,
I came across this bug while researching for a current blocker on the same topic - https://bugzilla.redhat.com/show_bug.cgi?id=1602845

I'm going to update the docs to explain what these checkboxes do, individually, and together in BZ1602845.

However, I was also going to suggest in that bug that we clarify the wording in the UI. I like where Loic's suggestions are going here, but am wondering:

@Li Ming, @Matt, @Joe - do you have any more ideas for a clearer name for these checkboxes, since this is still confusing to customers and support?

Comment 9 CFME Bot 2018-08-08 07:17:29 UTC
New commit detected on ManageIQ/manageiq-ui-classic/master:

commit 64d01df692037c4b3d7719d33f7f83404549bb1c
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Tue Aug  7 17:19:30 2018 -0400
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Tue Aug  7 17:19:30 2018 -0400

    Reword Get Roles to Get Groups from Home Forest.

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1475891

 app/views/ops/_settings_authentication_tab.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 10 Mike Shriver 2019-01-09 17:59:49 UTC
Tested in CFME

The form field during MIQLDAP(S) setup uses the checkbox label "Get Groups from Home Forest".  This matches the scope of the intended change discussed here, only modifying the use of Roles/Groups, but not the term 'Forest'

Comment 11 errata-xmlrpc 2019-02-07 23:02:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.