Description of problem:
The LDAP authz mechanism introduced in 2.4 leverages the existing rhq authz model and there are confusing scenarios when both rhq and ldap try to manage the same user accounts. This needs to be documented differently to dispel some of this confusion.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
In particular we need to address the case of people migrating from using the rhq db for storing users to purely using ldap (for authentication and authorization), i.e. to avoid getting themselves in the issues described here https://bugzilla.redhat.com/show_bug.cgi?id=595482
Detailed document about Using RHQ and LDAP authorization models together:
Mazz suggested simply applying the following to the docs and I agree:
"If you are using LDAP *authorization*, never add or remove users from
the LDAP-specific roles. The assigned users will be automatically
synchronized for you."
Deon should be making this change I think.
I merged the existing LDAP authorization and authentication sections into one overview section, and then I added a small bit about planning how to manage the users/roles with LDAP and JON data sources. I even made a graphic for it (oversized, but I'll fix that).