Bug 1531039 - [RFE] Add information about the information required to pull groups from an LDAP server
Summary: [RFE] Add information about the information required to pull groups from an L...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.8.0
Hardware: All
OS: All
high
medium
Target Milestone: GA
: 5.9.7
Assignee: Dayle Parker
QA Contact: Chris Budzilowicz
URL:
Whiteboard: auth:miqldap:externalauth
Depends On:
Blocks: 1572700
TreeView+ depends on / blocked
 
Reported: 2018-01-04 13:01 UTC by Felix Dewaleyne
Modified: 2021-03-11 16:49 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-17 01:15:31 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Felix Dewaleyne 2018-01-04 13:01:34 UTC 
Document URL: https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html-single/general_configuration/#ldap_settings

Section Number and Name: 4.1.4.2.2. Configuring LDAP Authentication

Describe the issue: we need to add mention of the requirements that the ldap schema is expected to meet for Cloudforms to correctly interpret group membership.

Suggestions for improvement: review with engineering which rfcs need to be implemented for more details, but memberof seems to be a first requirement to be met.


Additional information: 

as of the future, and with sssd (usage of is not part of the red hat documentation but is upstream and can be made to work), rfc2307 needs to be met (info from sbr-idm)
I would advocate to move the ldap configuration to a more accessible section entirely - right now it's not even possible to access it from the index - and to include sssd auth with it.

I reckon that the requirmenets to use miqldap with cloudforms should be added to the documentation as soon as possible and not just for 4.5 but also 4.2 and 4.6.
Comment 2 Dayle Parker 2019-01-11 06:14:36 UTC 
After reading the case history, it seems the important points are:

* docs need to mention how to add the user to the VMDB manually (done through the Access Control menu in the UI - currently the docs say 'through the console')
* user ID must match the user's name in lower case, group must already be configured
* LDAP group name should be used for CFME group name = this must be all in lower case in CFME to work
* Both SSSD and miqLDAP use rfc2307 for LDAP schema (the customer's LDAP entries must use this schema) - this means group members are listed by name in the member UID attribute

Authentication documentation has been moved to its own guide as of 4.6, with LDAP in a chapter of its own for better findability. The fix will appear in this guide to align with the strategy of encouraging customers to upgrade to the latest version of CloudForms.

If it's necessary to backport this fix to earlier versions of the docs, please let me know with a needinfo.
Comment 5 Dayle Parker 2019-01-17 01:15:31 UTC 
LDAP documentation (contained in the Managing Authentication guide) for CloudForms has now been updated:

* A note has been added about the RFC 2307 standard
* A link has been added to the steps to create a user (in the General Configuration guide) in the case users don't already exist
* Note about LDAP group name to be used for CFME group name, all in lower case -- previously was in a note in the Creating a User section of General Configuration, but is now also mentioned in Managing Authentication (section 2.1)

The update appears in the 4.6 guide, and will appear in the 4.7 release as well:

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.6/html-single/managing_authentication_for_cloudforms/#ldap_settings
Note You need to log in before you can comment on or make changes to this bug.