Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 616253 - Need additional documentation on how ldap and rhq authorization should co-exist.
Need additional documentation on how ldap and rhq authorization should co-exist.
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Documentation (Show other bugs)
unspecified
All Linux
medium Severity medium (vote)
: ---
: ---
Assigned To: Deon Ballard
Corey Welton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-19 18:32 EDT by Simeon Pinder
Modified: 2011-02-10 20:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-10 20:34:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simeon Pinder 2010-07-19 18:32:03 EDT
Description of problem:
The LDAP authz mechanism introduced in 2.4 leverages the existing rhq authz model and there are confusing scenarios when both rhq and ldap try to manage the same user accounts.  This needs to be documented differently to dispel some of this confusion.  

Version-Release number of selected component (if applicable):


How reproducible:
N/A

Steps to Reproduce:
1.N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:
Comment 1 Charles Crouch 2010-07-19 21:24:19 EDT
In particular we need to address the case of people migrating from using the rhq db for storing users to purely using ldap (for authentication and authorization), i.e. to avoid getting themselves in the issues described  here https://bugzilla.redhat.com/show_bug.cgi?id=595482
Comment 2 Simeon Pinder 2010-07-21 17:52:43 EDT
Detailed document about Using RHQ and LDAP authorization models together:
http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models

Mazz suggested simply applying the following to the docs and I agree:

"If you are using LDAP *authorization*, never add or remove users from
the LDAP-specific roles. The assigned users will be automatically
synchronized for you."

Deon should be making this change I think.
Comment 3 Deon Ballard 2010-08-02 11:52:48 EDT
I merged the existing LDAP authorization and authentication sections into one overview section, and then I added a small bit about planning how to manage the users/roles with LDAP and JON data sources. I even made a graphic for it (oversized, but I'll fix that). 

http://www.redhat.com/docs/en-US/JBoss_ON/2.4/admin/html/planning-user-management.html
Comment 4 Corey Welton 2010-08-18 15:43:18 EDT
Verified.

Note You need to log in before you can comment on or make changes to this bug.