Bug 701900 - Chapter 5. PAM Authentication updates
Chapter 5. PAM Authentication updates
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Docs User Guide (Show other bugs)
540
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lana Brindley
ecs-bugs
:
Depends On:
Blocks: sat54-docs
  Show dependency treegraph
 
Reported: 2011-05-04 04:47 EDT by Jan Pazdziora
Modified: 2013-10-23 19:22 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-23 17:27:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2011-05-04 04:47:37 EDT
Description of problem:

I would like to propose review of the Chapter 5. PAM Authentication of the Satellite 5.4.1 User Guide. I only managed to get to it now that the bug 639110 was handed over to the QA guys.

* 5.1 / 1. The pam-devel package is no longer needed, please remove it from the docs. It does not hurt to have it installed so there is no need to tell people to uninstall it but there is no need to install it now.

* We need new step in 5.1: Make sure to update selinux-policy-targeted package to the latest available version.

We know that selinux-policy-targeted-2.4.6-279.el5 does not work and selinux-policy-targeted-2.4.6-300.el5_6.1 does but I am not sure if we want to have the versions mentioned there explicitly, as on RHEL 6 there are again newer versions.

* We need new step in 5.1: Make sure the allow_httpd_mod_auth_pam SELinux boolean is set to on:

  setsebool -P allow_httpd_mod_auth_pam 1

* I would like the example 5.2 and 5.3 merged into one as there is no difference in configuring the things on 32bit and 64bit. The configuration file for LDAP is

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_ldap.so no_user_check
auth        required      pam_deny.so
account     required      pam_ldap.so no_user_check

* I would like a note there to say something like "Make sure the PAM autentication in general works before setting it up with RHN Satellite".

The reason is that the way to configure LDAP and PAM with LDAP might be different on RHEL 5 and RHEL 6 but I am not sure we want to include and maintain detailed information -- so hopefully just this general sentence might be enough.
Comment 2 Jan Pazdziora 2011-05-04 05:06:13 EDT
* I might also suggest another point to 5.1: after you change these setting, restart the RHN Satellite:

  rhn-satellite restart

* To make it clear that you do not have to restart after each new PAM-enabled user is created, we might actually want to move the 5.1 / 2 to separate section "Enabling a user", after this 5.1 setup procedure.
Comment 3 Lana Brindley 2011-05-04 17:42:00 EDT
Hi Jan,

This document is supposed to be dropped to translation tomorrow. Are any of these fixes critical?

LKB
Comment 4 Lana Brindley 2011-05-05 20:29:19 EDT
This book has now been dropped to translation (RT#75265).
No further updates can be accepted. This bug will be addressed in the next release.
LKB
Comment 5 Jan Pazdziora 2011-05-06 03:21:32 EDT
(In reply to comment #3)
> Hi Jan,
> 
> This document is supposed to be dropped to translation tomorrow. Are any of
> these fixes critical?
> 
> LKB

They are not critical but not having the stuff documented (especially the allow_httpd_mod_auth_pam SELinux boolean setting) might mean unnecessary support calls.

Would it be possible to have it changed in the English text for 5.4.1, with the understanding that it won't be in the localized versions?
Comment 6 Lana Brindley 2011-05-08 16:40:21 EDT
(In reply to comment #5)
> (In reply to comment #3)
> > Hi Jan,
> > 
> > This document is supposed to be dropped to translation tomorrow. Are any of
> > these fixes critical?
> > 
> > LKB
> 
> They are not critical but not having the stuff documented (especially the
> allow_httpd_mod_auth_pam SELinux boolean setting) might mean unnecessary
> support calls.
> 
> Would it be possible to have it changed in the English text for 5.4.1, with the
> understanding that it won't be in the localized versions?

Hi Jan,

I can't make any changes to the English text until after the translators have finished. If these changes are critical, I can perform an asynchronous release after the translations are complete and the document has GA'd. This will not change the localised versions, of course, only the English version.

Would you like me to do that?

Lana
Comment 7 Clifford Perry 2011-05-09 16:29:20 EDT
Can I propose this is added to the Release Notes? 

We can then fix docs correctly post 5.4.1 GA.

Folks agree to this solution? 

Cliff
Comment 8 Lana Brindley 2011-05-09 17:24:40 EDT
I agree. Updated component to release notes.

LKB
Comment 9 Jan Pazdziora 2011-05-10 03:25:45 EDT
Thanks.

In the release notes, only the 

  # setsebool -P allow_httpd_mod_auth_pam 1

step is needed.
Comment 10 Lana Brindley 2011-06-06 17:32:56 EDT
The relnotes conponent of this bug is being handled in BZ#703379. Dropping the component for this bug back to the User Guide, for handling the docs changes post GA.

LKB
Comment 11 Lana Brindley 2011-06-13 16:16:18 EDT
Slated for 5.4.2.

LKB
Comment 12 Lana Brindley 2011-06-21 18:22:00 EDT
(In reply to comment #0)
> Description of problem:
> 
> I would like to propose review of the Chapter 5. PAM Authentication of the
> Satellite 5.4.1 User Guide. I only managed to get to it now that the bug 639110
> was handed over to the QA guys.
> 
> * 5.1 / 1. The pam-devel package is no longer needed, please remove it from the
> docs. It does not hurt to have it installed so there is no need to tell people
> to uninstall it but there is no need to install it now.

Commented that step out.

> 
> * We need new step in 5.1: Make sure to update selinux-policy-targeted package
> to the latest available version.
> 
> We know that selinux-policy-targeted-2.4.6-279.el5 does not work and
> selinux-policy-targeted-2.4.6-300.el5_6.1 does but I am not sure if we want to
> have the versions mentioned there explicitly, as on RHEL 6 there are again
> newer versions.

<step>
	<para>
		Ensure you have the latest version of the <filename>selinux-policy-targeted</filename> package:
	</para>
<screen>
# yum update selinux-policy-targeted
</screen>
</step>

> 
> * We need new step in 5.1: Make sure the allow_httpd_mod_auth_pam SELinux
> boolean is set to on:
> 
>   setsebool -P allow_httpd_mod_auth_pam 1

<step>
	<para>
		Set the <filename>allow_httpd_mod_auth_pam</filename> SELinux boolean to on:
	</para>
<screen>
# setsebool -P allow_httpd_mod_auth_pam 1
</screen>
</step>

> 
> * I would like the example 5.2 and 5.3 merged into one as there is no
> difference in configuring the things on 32bit and 64bit. The configuration file
> for LDAP is
> 
> #%PAM-1.0
> auth        required      pam_env.so
> auth        sufficient    pam_ldap.so no_user_check
> auth        required      pam_deny.so
> account     required      pam_ldap.so no_user_check
> 
> * I would like a note there to say something like "Make sure the PAM
> autentication in general works before setting it up with RHN Satellite".

<note>
	<title>Note</title>
	<para>
		Check that the PAM authentication works correctly before using it with &SAT;.
	</para>
</note>


Revision 1-4

LKB
Comment 13 Lana Brindley 2011-06-22 00:32:23 EDT
Requested respin in RT#114048

LKB

Note You need to log in before you can comment on or make changes to this bug.