Peer review from domiborges

guides/common/modules/proc_configuring-freeipa-authentication-on-server.adoc

@@ -28,7 +28,7 @@ Enable {FreeIPA} users access to {Project} by configuring {FreeIPA} as an authen
 [WARNING]
 ====
 Enabling access to both the {ProjectWebUI} and the {Project} API poses a security risk.
-After the {FreeIPA} user enters `kinit` to receive a Kerberos ticket-granting ticket (TGT), an attacker can obtain an API session.
+After the {FreeIPA} user enters `kinit` to receive a Kerberos ticket-granting ticket (TGT), an attacker might obtain an API session.
 The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser.
 ====
 * To disable external authentication with {FreeIPA}, reset the options.

guides/common/modules/proc_configuring-host-based-authentication-control.adoc

@@ -1,7 +1,9 @@
 [id="Configuring_Host_Based_Access_Control_{context}"]
 = Configuring host-based access control for {FreeIPA} users logging in to {Project}
 
-In {FreeIPA}, host-based access control (HBAC) rules define which {FreeIPA} users can access which {FreeIPA} hosts and which {FreeIPA} services can be used to gain access.
+You can use host-based access control (HBAC) rules to manage access control within your {FreeIPA} domain.
+In {FreeIPA}, HBAC rules define which users can access which hosts and which services can be used to gain access.
+
 For example, you can configure HBAC on the {FreeIPA} server to limit access to {ProjectServer} only to selected users or user groups.
 By configuring a HBAC rule in the {FreeIPA} domain, you can ensure {Project} does not create database entries for users who should not have access.
 
@@ -31,12 +33,9 @@ endif::[]
 
 .Verification
 
-In {ProjectWebUI}:
-
-. Log in as a user defined in {FreeIPA} who is included in the HBAC rule.
-{ProjectWebUI} will grant access.
-. Log in as a user defined in {FreeIPA} who is included in the HBAC rule.
-{ProjectWebUI} will deny access.
+* Log in to the {ProjectWebUI} as a user defined in {FreeIPA}.
+** If the user is included in the HBAC rule, {ProjectWebUI} will grant access.
+** If the user is not included in the HBAC rule, {ProjectWebUI} will not grant access.
 
 .Configuring host-based access control to allow access to {Project} only for selected {FreeIPA} users by using the command line
 ====

guides/common/modules/proc_configuring-the-hammer-cli-to-use-freeipa-user-authentication.adoc

@@ -8,19 +8,19 @@ Configure the {Project} Hammer CLI tool to use {FreeIPA} to authenticate users.
 See xref:Configuring_FreeIPA_Authentication_on_Server_{context}[].
 
 .Procedure
-In the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer}, make the following changes:
 
-. Configure Hammer to enforce session usage.
-Add the following line to the list of `foreman` parameters:
+. Open the `~/.hammer/cli.modules.d/foreman.yml` file on your {ProjectServer} and update the list of `foreman` parameters:
+.. Configure Hammer to enforce session usage.
+Enable `:use_sessions:`:
 +
 [options="nowrap", subs="+quotes,verbatim,attributes"]
 ----
 :foreman:
   :use_sessions: true
 ----
 +
-With this setting, Hammer performs the authentication request only once instead of with each `hammer` command.
-. Optional: Configure Hammer to negotiate authentication when you enter the first `hammer` command:
+With this configuration, you will need to initiate an authentication session manually with `hammer auth login negotiate`.
+.. Alternatively, configure Hammer to enforce session usage and also negotiate authentication by default:
 +
 [options="nowrap", subs="+quotes,verbatim,attributes"]
 ----
@@ -29,4 +29,4 @@ With this setting, Hammer performs the authentication request only once instead
   :use_sessions: true
 ----
 +
-With this setting, you will not need to initiate an authentication session manually with `hammer auth login negotiate`.
+With this configuration, Hammer will negotiate authentication automatically when you enter the first `hammer` command:

guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-Mozilla-Firefox.adoc

@@ -1,36 +1,32 @@
 [id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-Mozilla-Firefox_{context}"]
-= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with Mozilla Firefox
+= Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Mozilla Firefox
 
-This section describes how to use the Mozilla Firefox browser to log in to your {ProjectWebUI} with your {FreeIPA} login and password.
+You can use Mozilla Firefox to log in to the {ProjectWebUI} with your {FreeIPA} credentials.
+
+Use the latest stable Mozilla Firefox browser.
 
 .Prerequisites
-* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication.
+* You have {FreeIPA} authentication configured in your {Project} environment.
 ifndef::orcharhino[]
 For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}].
 endif::[]
-* The host on which you are using Mozilla Firefox browser to log in to the {ProjectWebUI} is an {FreeIPA} client.
-* You have a valid {FreeIPA} login and password.
-* {Team} recommends using the latest stable Mozilla Firefox browser.
 * Your Mozilla Firefox is configured for Single Sign-On (SSO).
 ifdef::satellite[]
 For more information, see {RHELDocsBaseURL}9/html/configuring_authentication_and_authorization_in_rhel/configuring_applications_for_sso#Configuring_Firefox_to_use_Kerberos_for_SSO[Configuring Firefox to use Kerberos for single sign-on] in _Configuring authentication and authorization in {RHEL}{nbsp}9_.
 endif::[]
-* An {FreeIPA} server is running and reachable by the host.
 
 .Procedure
-. Obtain the Kerberos ticket granting ticket (TGT) for yourself using your {FreeIPA} credentials:
+. Obtain the Kerberos ticket granting ticket (TGT):
 +
 [options="nowrap", subs="+quotes,verbatim,attributes"]
 ----
-$ kinit _idm_user_
-Password for idm_user@_EXAMPLE.COM_:
+$ kinit _user_
+Password for user@EXAMPLE.COM:
 ----
-. In your browser address bar, enter the URL of your {ProjectServer}.
-+
-You are logged in automatically.
+. In Mozilla Firefox, go to the URL of your {ProjectServer}.
+. You are logged in automatically.
 
-[NOTE]
-====
-Alternatively, you can skip the first two steps and enter your login and password in the fields displayed on the {ProjectWebUI}.
-This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client.
-====
+Alternatively:
+
+. In your browser address bar, enter the URL of your {ProjectServer}.
+. Enter your login and password.

guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-ProjectWebUI-with-a-Chrome-browser.adoc

@@ -1,17 +1,15 @@
 [id="Using_{FreeIPA-context}_credentials_to_log_in_to_the_{ProjectWebUI-context}-with-a-Chrome-browser_{context}"]
-= Using {FreeIPA} credentials to log in to the {ProjectWebUI} with a Chrome browser
+= Logging in to the {ProjectWebUI} with {FreeIPA} credentials in Chrome
 
-This section describes how to use a Chrome browser to log in to your {ProjectWebUI} with your {FreeIPA} login and password.
+You can use Chrome to log in to the {ProjectWebUI} with your {FreeIPA} credentials.
+
+Use the latest stable Chrome browser.
 
 .Prerequisites
-* You have enrolled your {ProjectServer} into {FreeIPA} and configured the server to use {FreeIPA} for authentication.
+* You have {FreeIPA} authentication configured in your {Project} environment.
 ifndef::orcharhino[]
 For more information, see {InstallingServerDocURL}configuring-a-freeipa-server-as-an-external-identity-provider-for-project_{project-context}[{InstallingServerDocTitle}].
 endif::[]
-* The host on which you are using the Chrome browser to log in to the {ProjectWebUI} is an {FreeIPA} client.
-* You have a valid {FreeIPA} login and password.
-* {Team} recommends using the latest stable Chrome browser.
-* An {FreeIPA} server is running and reachable by the host.
 
 .Procedure
 . Enable the Chrome browser to use Kerberos authentication:
@@ -20,27 +18,22 @@ endif::[]
 ----
 $ google-chrome --auth-server-whitelist="*._example.com_" --auth-negotiate-delegate-whitelist=”*._example.com_"
 ----
-
 +
 [NOTE]
 ====
 Instead of allowlisting the whole domain, you can also allowlist a specific {ProjectServer}.
 ====
-
-. Obtain the Kerberos ticket-granting ticket (TGT) for yourself using your {FreeIPA} credentials:
+. Obtain the Kerberos ticket-granting ticket (TGT):
 +
 [options="nowrap", subs="+quotes,verbatim,attributes"]
 ----
-$ kinit _idm_user_
-Password for _idm_user@_EXAMPLE.COM_:
+$ kinit _user_
+Password for user@EXAMPLE.COM:
 ----
-. In your browser address bar, enter the URL of your {ProjectServer}.
-+
-You are logged in automatically.
+. In Chrome, go to the URL of your {ProjectServer}.
+. You are logged in automatically.
 
+Alternatively:
 
-[NOTE]
-====
-Alternatively, you can skip the first three steps and enter your login and password in the fields displayed on the {ProjectWebUI}.
-This is also the only option if the host from which you are accessing the {ProjectWebUI} is not an {FreeIPA} client.
-====
+. In your browser address bar, enter the URL of your {ProjectServer}.
+. Enter your login and password.

guides/common/modules/proc_using-freeipa-credentials-to-log-in-to-the-project-hammer-cli.adoc

@@ -20,7 +20,7 @@ $ kinit _{FreeIPA-context}_user_
 +
 [WARNING]
 ====
-If, when you were setting {FreeIPA} to be the authentication provider, you enabled access to both the {Project} API and the {ProjectWebUI}, an attacker can now obtain an API session after the user receives the Kerberos TGT.
+If you enabled access to the {Project} API and the {ProjectWebUI} when you were configuring {FreeIPA} as the authentication provider for {Project}, an attacker might now obtain an API session after the user receives the Kerberos TGT.
 The attack is possible even if the user did not previously enter the {Project} login credentials anywhere, for example in the browser.
 ====
 . If Hammer is not configured to negotiate authentication, initiate an authentication session manually: