Description of problem:
It is confusing when there are 2 similar options:
Get User Groups from LDAP ==> LDAP
Get Roles from Home Forest ==> This only applies to AD
What happens if the user checks both?
Is this really "Get Roles from Home Forest" or "Get User Groups from Home Forest"?
Are both check boxes mutually exclusive? Can we improve the UI?
Documentation is confusing too:
1. Check Get User Groups from LDAP to retrieve the user’s group membership from LDAP. This is used for mapping a user’s authorization to a Red Hat CloudForms role. This requires group names on the LDAP server to match Red Hat CloudForms group names.
2. Check Get Roles from Home Forest to use the LDAP roles from the LDAP user’s home forest. This will allow you to discover groups on your LDAP server and create Red Hat CloudForms groups based on your LDAP server’s group names. Any user logging in will be assigned to that group. This option is only displayed when Get User Groups from LDAP is checked.
Version-Release number of selected component (if applicable):
Actually, CFME, uses the term "Forest" to mean another LDAP domain, regardless of LDAP provider and it's not specific to AD. Or at least that is what Development has told me. I want to open a bug to reword the use of the term "Forest" Also in 220.127.116.11 this check box seems to have disappeared, which I may be writing a bug on as soon as I debug it more.
The term "Forest", although a bit misleading to AD purists, was likely chosen initially due to the similarity to the functionality.
Because MiqLdap (mode: LDAPs) is being deprecated the auth team does not see a lot of value from updating the long standing wording used by the UI.
I came across this bug while researching for a current blocker on the same topic - https://bugzilla.redhat.com/show_bug.cgi?id=1602845
I'm going to update the docs to explain what these checkboxes do, individually, and together in BZ1602845.
However, I was also going to suggest in that bug that we clarify the wording in the UI. I like where Loic's suggestions are going here, but am wondering:
@Li Ming, @Matt, @Joe - do you have any more ideas for a clearer name for these checkboxes, since this is still confusing to customers and support?
New commit detected on ManageIQ/manageiq-ui-classic/master:
Author: Joe VLcek <firstname.lastname@example.org>
AuthorDate: Tue Aug 7 17:19:30 2018 -0400
Commit: Joe VLcek <email@example.com>
CommitDate: Tue Aug 7 17:19:30 2018 -0400
Reword Get Roles to Get Groups from Home Forest.
app/views/ops/_settings_authentication_tab.html.haml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Tested in CFME 18.104.22.168.20181218191323_900a416
The form field during MIQLDAP(S) setup uses the checkbox label "Get Groups from Home Forest". This matches the scope of the intended change discussed here, only modifying the use of Roles/Groups, but not the term 'Forest'
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.