Update procedure on resetting external auth

aneta-petrova · aneta-petrova · commit b752f34fbf41 · 2025-12-16T19:41:24.000+01:00
Move reset to its own module

Update ext auth reset with additional details
diff --git a/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc
@@ -161,7 +161,8 @@ ifdef::foreman-el,katello[]
 For information on configuring system-wide cryptographic policies, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening[Using system-wide cryptographic policies] in _{RHEL}{nbsp}9 Security hardening_.
 endif::[]
 
-ifndef::orcharhino[]
 .Additional resources
+ifndef::orcharhino[]
 * https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on in _{RHEL}{nbsp}9 Configuring authentication and authorization in RHEL_]
 endif::[]
+* xref:resetting-external-authentication-configuration-for-kerberos-sso[]
diff --git a/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc b/guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc
@@ -43,23 +43,6 @@ Enabling access to both the {ProjectWebUI} and the {Project} API poses a securit
 After the {FreeIPA} user enters `kinit` to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session.
 The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser.
 ====
-ifdef::foremanctl[]
-* To disable external authentication with {FreeIPA}, reset external authentication:
-+
-[options="nowrap", subs="+quotes,verbatim,attributes"]
-----
-# foremanctl deploy --reset-external-authentication
-----
-endif::[]
-ifndef::foremanctl[]
-* To disable external authentication with {FreeIPA}, reset the options.
-For example, to disable access to the {Project} API and Hammer CLI:
-+
-[options="nowrap", subs="+quotes,verbatim,attributes"]
-----
-# {foreman-installer} --reset-foreman-ipa-authentication-api
-----
-endif::[]
 . If your {ProjectServer} runs in an IPv6-only network and also runs on {EL}{nbsp}9.6 and earlier or {EL}{nbsp}10.0, set the `lookup_family_order` option in the `[domain/_{freeipaserver-example-com}_]` section of the `/etc/sssd/sssd.conf` file:
 +
 [source, ini, options="nowrap", subs="+quotes,verbatim,attributes"]
@@ -74,3 +57,6 @@ Without the option, IdM users are unable to use `kinit` to authenticate to {Proj
 
 .Verification
 * Log in to {ProjectWebUI} by entering the credentials of a user defined in {FreeIPA}.
+
+.Additional resources
+* xref:resetting-external-authentication-configuration-for-kerberos-sso[]
diff --git a/guides/common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc b/guides/common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc
@@ -0,0 +1,54 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="resetting-external-authentication-configuration-for-kerberos-sso"]
+= Resetting external authentication configuration for Kerberos SSO
+
+[role="_abstract"]
+You can disable external authentication with {FreeIPA} by resetting the external authentication configuration.
+This prevents user accounts defined in the external authentication source from accessing {Project}.
+
+[IMPORTANT]
+====
+Resetting external authentication prevents users from accessing {Project} as described in xref:configuring-kerberos-sso-with-{FreeIPA-context}-in-{project-context}[] and xref:configuring-kerberos-sso-for-active-directory-users-in-project_{context}[].
+However, some configuration files, such as configuration files for the System Security Services Daemon (SSSD), will remain modified because {Project} does not have access to the previous state of these files.
+====
+
+.Procedure
+ifdef::foremanctl[]
+* Reset {FreeIPA} authentication configuration to the default state:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# foremanctl deploy --reset-external-authentication
+----
+endif::[]
+ifndef::foremanctl[]
+* Reset {FreeIPA} authentication configuration to the default state:
+** To disable access to {ProjectWebUI}:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# {foreman-installer} --reset-foreman-ipa-authentication
+----
+** To disable access to {ProjectWebUI}, {Project} API, and Hammer CLI:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# {foreman-installer} --reset-foreman-ipa-authentication-api
+----
+endif::[]
+
+.Verification
+ifdef::foremanctl[]
+#How can users verify this?#
+endif::[]
+ifndef::foremanctl[]
+* Display the value for the `foreman-ipa-authentication` and `foreman-ipa-authentication-api` configuration options:
++
+[options="nowrap", subs="+quotes,verbatim,attributes"]
+----
+# {foreman-installer} --help | grep foreman-ipa-authentication
+----
++
+The expected value for disabled external authentication is `false`.
+endif::[]
diff --git a/guides/doc-Configuring_User_Authentication/master.adoc b/guides/doc-Configuring_User_Authentication/master.adoc
@@ -63,6 +63,8 @@ endif::[]
 
 include::common/modules/con_refreshing-external-user-groups-for-freeipa-or-ad.adoc[leveloffset=+1]
 
+include::common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc[leveloffset=+1]
+
 ifndef::orcharhino,satellite[]
 include::common/ribbons.adoc[]
 endif::[]
