Description of problem: The LDAP authz mechanism introduced in 2.4 leverages the existing rhq authz model and there are confusing scenarios when both rhq and ldap try to manage the same user accounts. This needs to be documented differently to dispel some of this confusion. Version-Release number of selected component (if applicable): How reproducible: N/A Steps to Reproduce: 1.N/A 2. 3. Actual results: N/A Expected results: N/A Additional info:
In particular we need to address the case of people migrating from using the rhq db for storing users to purely using ldap (for authentication and authorization), i.e. to avoid getting themselves in the issues described here https://bugzilla.redhat.com/show_bug.cgi?id=595482
Detailed document about Using RHQ and LDAP authorization models together: http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models Mazz suggested simply applying the following to the docs and I agree: "If you are using LDAP *authorization*, never add or remove users from the LDAP-specific roles. The assigned users will be automatically synchronized for you." Deon should be making this change I think.
I merged the existing LDAP authorization and authentication sections into one overview section, and then I added a small bit about planning how to manage the users/roles with LDAP and JON data sources. I even made a graphic for it (oversized, but I'll fix that). http://www.redhat.com/docs/en-US/JBoss_ON/2.4/admin/html/planning-user-management.html
Verified.