Description of problem: I would like to propose review of the Chapter 5. PAM Authentication of the Satellite 5.4.1 User Guide. I only managed to get to it now that the bug 639110 was handed over to the QA guys. * 5.1 / 1. The pam-devel package is no longer needed, please remove it from the docs. It does not hurt to have it installed so there is no need to tell people to uninstall it but there is no need to install it now. * We need new step in 5.1: Make sure to update selinux-policy-targeted package to the latest available version. We know that selinux-policy-targeted-2.4.6-279.el5 does not work and selinux-policy-targeted-2.4.6-300.el5_6.1 does but I am not sure if we want to have the versions mentioned there explicitly, as on RHEL 6 there are again newer versions. * We need new step in 5.1: Make sure the allow_httpd_mod_auth_pam SELinux boolean is set to on: setsebool -P allow_httpd_mod_auth_pam 1 * I would like the example 5.2 and 5.3 merged into one as there is no difference in configuring the things on 32bit and 64bit. The configuration file for LDAP is #%PAM-1.0 auth required pam_env.so auth sufficient pam_ldap.so no_user_check auth required pam_deny.so account required pam_ldap.so no_user_check * I would like a note there to say something like "Make sure the PAM autentication in general works before setting it up with RHN Satellite". The reason is that the way to configure LDAP and PAM with LDAP might be different on RHEL 5 and RHEL 6 but I am not sure we want to include and maintain detailed information -- so hopefully just this general sentence might be enough.
* I might also suggest another point to 5.1: after you change these setting, restart the RHN Satellite: rhn-satellite restart * To make it clear that you do not have to restart after each new PAM-enabled user is created, we might actually want to move the 5.1 / 2 to separate section "Enabling a user", after this 5.1 setup procedure.
Hi Jan, This document is supposed to be dropped to translation tomorrow. Are any of these fixes critical? LKB
This book has now been dropped to translation (RT#75265). No further updates can be accepted. This bug will be addressed in the next release. LKB
(In reply to comment #3) > Hi Jan, > > This document is supposed to be dropped to translation tomorrow. Are any of > these fixes critical? > > LKB They are not critical but not having the stuff documented (especially the allow_httpd_mod_auth_pam SELinux boolean setting) might mean unnecessary support calls. Would it be possible to have it changed in the English text for 5.4.1, with the understanding that it won't be in the localized versions?
(In reply to comment #5) > (In reply to comment #3) > > Hi Jan, > > > > This document is supposed to be dropped to translation tomorrow. Are any of > > these fixes critical? > > > > LKB > > They are not critical but not having the stuff documented (especially the > allow_httpd_mod_auth_pam SELinux boolean setting) might mean unnecessary > support calls. > > Would it be possible to have it changed in the English text for 5.4.1, with the > understanding that it won't be in the localized versions? Hi Jan, I can't make any changes to the English text until after the translators have finished. If these changes are critical, I can perform an asynchronous release after the translations are complete and the document has GA'd. This will not change the localised versions, of course, only the English version. Would you like me to do that? Lana
Can I propose this is added to the Release Notes? We can then fix docs correctly post 5.4.1 GA. Folks agree to this solution? Cliff
I agree. Updated component to release notes. LKB
Thanks. In the release notes, only the # setsebool -P allow_httpd_mod_auth_pam 1 step is needed.
The relnotes conponent of this bug is being handled in BZ#703379. Dropping the component for this bug back to the User Guide, for handling the docs changes post GA. LKB
Slated for 5.4.2. LKB
(In reply to comment #0) > Description of problem: > > I would like to propose review of the Chapter 5. PAM Authentication of the > Satellite 5.4.1 User Guide. I only managed to get to it now that the bug 639110 > was handed over to the QA guys. > > * 5.1 / 1. The pam-devel package is no longer needed, please remove it from the > docs. It does not hurt to have it installed so there is no need to tell people > to uninstall it but there is no need to install it now. Commented that step out. > > * We need new step in 5.1: Make sure to update selinux-policy-targeted package > to the latest available version. > > We know that selinux-policy-targeted-2.4.6-279.el5 does not work and > selinux-policy-targeted-2.4.6-300.el5_6.1 does but I am not sure if we want to > have the versions mentioned there explicitly, as on RHEL 6 there are again > newer versions. <step> <para> Ensure you have the latest version of the <filename>selinux-policy-targeted</filename> package: </para> <screen> # yum update selinux-policy-targeted </screen> </step> > > * We need new step in 5.1: Make sure the allow_httpd_mod_auth_pam SELinux > boolean is set to on: > > setsebool -P allow_httpd_mod_auth_pam 1 <step> <para> Set the <filename>allow_httpd_mod_auth_pam</filename> SELinux boolean to on: </para> <screen> # setsebool -P allow_httpd_mod_auth_pam 1 </screen> </step> > > * I would like the example 5.2 and 5.3 merged into one as there is no > difference in configuring the things on 32bit and 64bit. The configuration file > for LDAP is > > #%PAM-1.0 > auth required pam_env.so > auth sufficient pam_ldap.so no_user_check > auth required pam_deny.so > account required pam_ldap.so no_user_check > > * I would like a note there to say something like "Make sure the PAM > autentication in general works before setting it up with RHN Satellite". <note> <title>Note</title> <para> Check that the PAM authentication works correctly before using it with &SAT;. </para> </note> Revision 1-4 LKB
Requested respin in RT#114048 LKB