Bug 616253 - Need additional documentation on how ldap and rhq authorization should co-exist.
Summary: Need additional documentation on how ldap and rhq authorization should co-exist.
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Documentation   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium vote
Target Milestone: ---
: ---
Assignee: Deon Ballard
QA Contact: Corey Welton
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-19 22:32 UTC by Simeon Pinder
Modified: 2011-02-11 01:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-02-11 01:34:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Simeon Pinder 2010-07-19 22:32:03 UTC
Description of problem:
The LDAP authz mechanism introduced in 2.4 leverages the existing rhq authz model and there are confusing scenarios when both rhq and ldap try to manage the same user accounts.  This needs to be documented differently to dispel some of this confusion.  

Version-Release number of selected component (if applicable):


How reproducible:
N/A

Steps to Reproduce:
1.N/A
2.
3.
  
Actual results:
N/A

Expected results:
N/A

Additional info:

Comment 1 Charles Crouch 2010-07-20 01:24:19 UTC
In particular we need to address the case of people migrating from using the rhq db for storing users to purely using ldap (for authentication and authorization), i.e. to avoid getting themselves in the issues described  here https://bugzilla.redhat.com/show_bug.cgi?id=595482

Comment 2 Simeon Pinder 2010-07-21 21:52:43 UTC
Detailed document about Using RHQ and LDAP authorization models together:
http://www.rhq-project.org/display/RHQ/Using+RHQ+and+LDAP+Authorization+Models

Mazz suggested simply applying the following to the docs and I agree:

"If you are using LDAP *authorization*, never add or remove users from
the LDAP-specific roles. The assigned users will be automatically
synchronized for you."

Deon should be making this change I think.

Comment 3 Deon Ballard 2010-08-02 15:52:48 UTC
I merged the existing LDAP authorization and authentication sections into one overview section, and then I added a small bit about planning how to manage the users/roles with LDAP and JON data sources. I even made a graphic for it (oversized, but I'll fix that). 

http://www.redhat.com/docs/en-US/JBoss_ON/2.4/admin/html/planning-user-management.html

Comment 4 Corey Welton 2010-08-18 19:43:18 UTC
Verified.


Note You need to log in before you can comment on or make changes to this bug.