Update Kerberos SSO documentation for foremanctl

[aneta-petrova]

What changes are you introducing?

Updating documentation on enabling FreeIPA-based authentication for foremanctl. This also includes publishing a foremanctl-flavored Configuring User Authentication guide.

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

theforeman/foremanctl#312

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

N/A

Contributor checklists

• I am okay with my commits getting squashed when you merge this PR.
• I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

• Foreman 3.17/Katello 4.19
• Foreman 3.16/Katello 4.18 (Satellite 6.18)
• Foreman 3.15/Katello 4.17
• Foreman 3.14/Katello 4.16 (Satellite 6.17; orcharhino 7.4)
• Foreman 3.13/Katello 4.15 (EL9 only)
• Foreman 3.12/Katello 4.14 (Satellite 6.16; orcharhino 7.2 on EL9 only; orcharhino 7.3)
• We do not accept PRs for Foreman older than 3.12.

Summary by Sourcery

Update Kerberos SSO and external authentication documentation to cover foremanctl and related workflows.

Documentation:

• Refresh Kerberos SSO guides for FreeIPA and Active Directory to align with current foremanctl behavior and terminology.
• Extend user authentication documentation with updated procedures for configuring authentication sources, enrolling servers in FreeIPA, and logging in with FreeIPA credentials, including hammer CLI usage.
• Add a new procedure describing how to reset external authentication configuration for Kerberos SSO.
• Update the Configuring User Authentication guide index and nightly documentation metadata to include the foremanctl-focused content.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates Kerberos SSO and FreeIPA authentication documentation to incorporate foremanctl workflows, including enrollment, login, and recovery steps, and aligns the Configuring User Authentication guide and nightly metadata with the new content.

File-Level Changes

Change	Details	Files
Align Kerberos SSO and FreeIPA configuration docs with foremanctl workflows and terminology.	Adjust existing Kerberos SSO with FreeIPA assembly to reference foremanctl usage and flows. Update Active Directory Kerberos SSO, external user groups, HBAC, and authentication source modules to mention or integrate foremanctl where applicable. Clarify steps and prerequisites in FreeIPA and AD SSO setup to better match current tooling behavior.	guides/common/assembly_configuring-kerberos-sso-with-freeipa-in-project.adoc guides/common/modules/con_configuring-kerberos-sso-for-active-directory-users-in-project.adoc guides/common/modules/proc_configuring-external-user-groups.adoc guides/common/modules/proc_configuring-host-based-access-control-for-freeipa-users-logging-in-to-project.adoc guides/common/modules/proc_configuring-the-active-directory-authentication-source-on-projectserver.adoc guides/common/modules/proc_configuring-the-freeipa-authentication-source-on-projectserver.adoc
Refresh enrollment and CLI login procedures to cover FreeIPA-based authentication for foremanctl and hammer.	Update enrollment instructions for joining the server to a FreeIPA domain to reflect current commands and flags relevant to foremanctl usage. Revise CLI login procedure using FreeIPA credentials, ensuring hammer usage is consistent with foremanctl-based auth flows.	guides/common/modules/proc_enrolling-projectserver-in-your-freeipa-domain.adoc guides/common/modules/proc_logging-in-to-hammer-cli-with-freeipa-credentials.adoc
Introduce recovery documentation for resetting external authentication configuration when using Kerberos SSO.	Add a new procedure module that walks through resetting external authentication configuration for Kerberos SSO scenarios. Ensure the new reset procedure is referenced by or compatible with the other Kerberos SSO documentation modules.	guides/common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc
Wire updated modules into the main Configuring User Authentication guide and nightly documentation metadata.	Update the Configuring User Authentication guide master assembly to include or reference the refreshed Kerberos/FreeIPA and foremanctl-related modules. Adjust nightly release JSON metadata so the updated and new documentation is available in the nightly build navigation.	guides/doc-Configuring_User_Authentication/master.adoc web/releases/nightly.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[github-actions]

The PR preview for 810954c is available at theforeman-foreman-documentation-preview-pr-4543.surge.sh

The following output files are affected by this PR:

• Administering_Project/index-foremanctl-satellite.html
• Configuring_Load_Balancer/index-foremanctl-satellite.html
• Configuring_User_Authentication/index-foreman-deb.html
• Configuring_User_Authentication/index-foreman-el.html
• Configuring_User_Authentication/index-foremanctl-katello.html
• Configuring_User_Authentication/index-foremanctl-orcharhino.html
• Configuring_User_Authentication/index-foremanctl-satellite.html
• Configuring_User_Authentication/index-katello.html
• Configuring_User_Authentication/index-orcharhino.html
• Configuring_User_Authentication/index-satellite.html
• Installing_Server_Disconnected/index-foremanctl-satellite.html
• Integrating_Provisioning_Infrastructure_Services/index-foremanctl-satellite.html
• Managing_Configurations_Ansible/index-foremanctl-satellite.html
• Managing_Content/index-foremanctl-satellite.html
• Monitoring_Project/index-foremanctl-satellite.html
• Provisioning_Hosts/index-foremanctl-satellite.html
• Tuning_Performance/index-foremanctl-satellite.html

show diff

show diff as HTML

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• In the new and updated Kerberos/FreeIPA modules, double-check that references to foremanctl vs. hammer are consistently scoped (for example, in titles, prerequisites, and command snippets) so users can easily tell which tool a given step applies to.
• Since you added proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc, consider linking to this procedure from the main Kerberos SSO configuration assembly and any troubleshooting sections so users can discover the reset workflow when they run into misconfiguration issues.
• For the nightly.json changes, verify that the new or updated entries for the Configuring User Authentication and Kerberos/FreeIPA docs use consistent slugs/URLs and titles with the corresponding master.adoc files to avoid broken or duplicated navigation items.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In the new and updated Kerberos/FreeIPA modules, double-check that references to `foremanctl` vs. `hammer` are consistently scoped (for example, in titles, prerequisites, and command snippets) so users can easily tell which tool a given step applies to.
- Since you added `proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc`, consider linking to this procedure from the main Kerberos SSO configuration assembly and any troubleshooting sections so users can discover the reset workflow when they run into misconfiguration issues.
- For the `nightly.json` changes, verify that the new or updated entries for the Configuring User Authentication and Kerberos/FreeIPA docs use consistent slugs/URLs and titles with the corresponding `master.adoc` files to avoid broken or duplicated navigation items.

## Individual Comments

### Comment 1
<location> `guides/common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc:17` </location>
<code_context>
 +
 [options="nowrap", subs="+quotes,verbatim,attributes"]
 ----
+ifdef::foremanctl[]
+# foremanctl deploy --pam-service foreman-prod
+endif::[]
</code_context>

<issue_to_address>
**issue (review_instructions):** The .Verification section for the foremanctl variant is just a placeholder and does not provide actual verification steps, so the verification instruction is not fulfilled.

The non-foremanctl path includes a concrete verification step (`--help | grep foreman-ipa-authentication` and expected values), but the foremanctl path only has the placeholder `#How can users verify this?#`.

Please add explicit verification instructions for the foremanctl scenario (for example, a command or UI check that confirms external authentication has been reset and what output or behavior to expect), or otherwise align it with the level of verification provided for the installer-based variant.

<details>
<summary>Review instructions:</summary>

**Path patterns:** `guides/common/modules/proc*.adoc`

**Instructions:**
- Verification steps are included where appropriate.

</details>
</issue_to_address>

### Comment 2
<location> `guides/common/modules/proc_resetting-external-authentication-configuration-for-kerberos-sso.adoc:13` </location>
<code_context>
+[IMPORTANT]
+====
+Resetting external authentication prevents users from accessing {Project} as described in xref:configuring-kerberos-sso-with-{FreeIPA-context}-in-{project-context}[] and xref:configuring-kerberos-sso-for-active-directory-users-in-project_{context}[].
+However, some configuration files, such as configuration files for the System Security Services Daemon (SSSD), will remain modified because {Project} does not have access to the previous state of these files.
+====
+
</code_context>

<issue_to_address>
**suggestion (review_instructions):** The phrase "will remain modified" uses passive voice and could be rephrased to an active construction to meet the style requirement.

Consider rephrasing to avoid the passive construction, for example:

"However, some configuration files, such as those for the System Security Services Daemon (SSSD), stay in their modified state because {Project} does not have access to their previous state."

This keeps the meaning while avoiding passive voice.

<details>
<summary>Review instructions:</summary>

**Path patterns:** `guides/common/*.adoc,guides/common/modules/*.adoc`

**Instructions:**
Avoid passive voice in verbs.

</details>
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[aneta-petrova]

These preview links are relevant for tech review:

Configuring User Authentication, update to contain only content that's expected to work with foremanctl:

• https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-foremanctl-katello.html
• https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-foremanctl-satellite.html

Configuring User Authentication, based on the current installer (section 12. Resetting external authentication configuration for Kerberos SSO is mostly new and needs a review):

• https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-katello.html
• https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-satellite.html

[ekohl]

Not a complete read through but some things that jumped out to me.

Can we define {project-package-install} as just {package-install} for foremanctl? We already do that for everything except the satellite builds everywhere else and keeps the changes smaller.

[adamruzicka]

It reads well, but the verification part for disabling with foremanctl needs to be flushed out

[lhellebr]

Does this mean that these are not available with foremanctl? I think that's not true.

[aneta-petrova]

I excluded these lines (for now) because the NOTE leads to an LDAP procedure which uses foreman-maintain. The maintain tool will be replaced by foremanctl, which means the procedure cannot yet be included in a foremanctl guide. We can include it after we know what the replacement for foreman-maintain service restart will look like and that the procedure works in the foremanctl world.

The other link leads to an AD procedure, which is being exposed in this PR. However, modifying the NOTE to include two links for a pre-foremanctl version of the guide and one link for the post-foremanctl version would take some rewriting. I don't think it's worth it right now -- we can just include the whole NOTE again after we verify that the LDAP procedure is safe for foremanctl.

[aneta-petrova]

These preview links are relevant for tech review:

Configuring User Authentication, update to contain only content that's expected to work with foremanctl:

* https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-foremanctl-katello.html

* https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-foremanctl-satellite.html

Configuring User Authentication, based on the current installer (section 12. Resetting external authentication configuration for Kerberos SSO is mostly new and needs a review):

* https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-katello.html

* https://theforeman-foreman-documentation-preview-pr-4543.surge.sh/nightly/Configuring_User_Authentication/index-satellite.html

A few threads are still open (for visibility due to open questions not related to the documentation update or just interesting information being shared) but other than that, I think I've implemented all the feedback so far. Which means these guides are ready for re-review.

[aneta-petrova]

Hello @adamruzicka @lhellebr @maximiliankolb, do you have any further comments or suggestions? If not, can you please consider acking this PR?

[adamruzicka]

One pedantic comment, otherwise it reads well

[adamruzicka]

Reads well

[lhellebr]

One clarifying comment, otherwise LGTM

[maximiliankolb]

A few minor suggestions on style. I cannot comment on the tech at all.

[Lennonka]

Just a few nitpicks.

[aneta-petrova]

All suggestions have been applied, @maximiliankolb and/or @Lennonka, can you please re-review?

[maximiliankolb]

LGTM style-wise.

[Lennonka]

LGTM, thanks!

[aneta-petrova]

Squashing some commits so that we can add two separate commits to master when merging. No changes to the diff.