(DOCSP-45035) Rotate LDAP pwd for Agent in OM (#675)

This PR is equivalent in its contents to the [PR on the Cloud Manager
side](10gen/docs-cloud-manager#150). Note: These
doc sources are now split and hence we have this separate PR, as opposed
to having a single PR for OM/CM docs that were previously built from one
source.

The only difference is that I reused the same steps file for both
enabling LDAP and rotating the pwd. This is because OM uses yaml file
includes and it was easier to do it this way for this long-maintained
doc repo. The rest of the approach is the same as for the CM PR.

@pstefek-mongo and @kyuan-mongodb could you please review? 

- [DOCSP-45035](https://jira.mongodb.org/browse/DOCSP-45035)
-
[STAGING](https://deploy-preview-675--docs-ops-manager.netlify.app/tutorial/enable-ldap-authentication-for-group/)

Author: JuliaMongo

source/includes/note-reset-auth.rst

@@ -1,7 +1,4 @@
 .. note::
 
-   If you want to 
-   :doc:`reset Authentication and TLS settings </tutorial/clear-security-settings>`
-   for your project, first 
-   :doc:`unmanage any MongoDB deployments </tutorial/unmanage-deployment>` 
-   that |mms| manages in your project.
+   To :ref:`reset Authentication and TLS settings <clear-security-settings>`
+   for your project, first :ref:`unmanage any MongoDB deployments <unmanage-deployment>` that |mms| manages in your project.

source/includes/steps-source-enable-authentication.yaml

@@ -130,8 +130,7 @@ content: |
 
   .. important::
 
-     Starting with MongoDB 3.4, you can 
-     authenticate users using LDAP, Kerberos, or X.509 certificates 
+     You can authenticate users using LDAP, Kerberos, or X.509 certificates 
      without requiring local user documents in the ``$external`` 
      database as long as you enable LDAP authorization first. When such a user successfully
      authenticates, MongoDB performs a query against the LDAP server to
@@ -193,6 +192,20 @@ content: |
           - Specify the password with which MongoDB binds when connecting to an 
             LDAP server.
 
+        * - New Query Password (LDAP Bind DN)
+        
+          - (Optional). Use this field if you want to rotate the LDAP password.
+            Specify the new password with which MongoDB will bind when
+            connecting to an LDAP server. Specifying a new password in
+            this field allows you to smoothly rotate the query password.
+
+            .. important::
+
+               After you rotate the password on the LDAP server side,
+               move the contents of the :guilabel:`New Query Password`
+               field into the :guilabel:`Query Password` field and make
+               the :guilabel:`New Query Password` field empty.
+
         * - LDAP User Cache Invalidation Interval (s)  
 
           - Specify how long MongoDB waits to flush the LDAP user cache.
@@ -250,13 +263,12 @@ content: |
 
   .. important::
 
-     Starting with MongoDB 3.4, you can 
-     authenticate users using LDAP, Kerberos, and X.509 certificates 
-     without requiring local user documents in the ``$external`` 
-     database as long as you enable LDAP authorization first. When such a user successfully
-     authenticates, MongoDB performs a query against the LDAP server to
-     retrieve all groups which that LDAP user possesses and transforms those
-     groups into their equivalent MongoDB roles.
+     You can authenticate users using LDAP, Kerberos, and X.509 certificates
+     without requiring local user documents in the ``$external``
+     database as long as you enable LDAP authorization first. When such a user
+     successfully authenticates, MongoDB performs a query against the LDAP
+     server to retrieve all groups which that LDAP user possesses and transforms
+     those groups into their equivalent MongoDB roles.
 
   Skip this step if you don't want to enable LDAP authorization.
 
@@ -285,4 +297,15 @@ ref: set-authorization-settings-no-ldap
 title: "Click :guilabel:`Save Settings`."
 level: 4
 ref: save-auth-settings
+content: |
+
+  .. note::
+
+     While you save the settings with a new password, MongoDB tries
+     both passwords. After completing this procedure, you can change
+     the password in your LDAP server. After you rotate the password
+     on the LDAP server side, move the contents of the
+     :guilabel:`New Query Password` field into the :guilabel:`Query Password`
+     field and make the :guilabel:`New Query Password` field empty.
+
 ...

source/tutorial/clear-security-settings.txt

@@ -1,3 +1,5 @@
+.. _clear-security-settings:
+
 =======================
 Clear Security Settings
 =======================
@@ -13,8 +15,8 @@ Clear Security Settings
 Overview
 --------
 
-|mms| enables you to :doc:`configure the security settings
-</tutorial/nav/security-enable-authentication>` that your deployments
+|mms| enables you to :ref:`configure the security settings
+<enable-ldap-auth>` that your deployments
 use through the |mms| user interface. If you wish to reset the security
 settings for your deployment, you may do so using the :guilabel:`Clear
 Settings` button. :guilabel:`Clear Settings` clears all

source/tutorial/enable-ldap-authentication-for-group.txt

@@ -1,7 +1,7 @@
 .. _enable-ldap-auth:
 
 =================================================
-Enable LDAP Authentication for your |mms| Project
+Manage LDAP Authentication for your |mms| Project
 =================================================
 
 .. default-domain:: mongodb
@@ -33,26 +33,29 @@ Directory Access Protocol (LDAP) servers via ``saslauthd`` and operating system
 libraries:
 
 - MongoDB Enterprise for Linux can bind to an LDAP server either via
-  ``saslauthd`` or, starting in MongoDB 3.4, through the operating system
-  libraries.
+  ``saslauthd`` or through the operating system libraries.
 
-- Starting in MongoDB version 3.4, MongoDB Enterprise for Windows can
-  bind to an LDAP server through the operating system libraries.
+- MongoDB Enterprise for Windows can bind to an LDAP server through the
+  operating system libraries.
 
-The :manual:`LDAP Proxy Authentication </core/security-ldap>` and
-:manual:`LDAP Authorization </core/security-ldap-external>` sections in
-the MongoDB manual provide more information about LDAP and MongoDB.
-Setting up LDAP and SASL is beyond the scope of this document.
+To learn how to set up LDAP and SASL, see the :manual:`LDAP Proxy Authentication </core/security-ldap>`
+and :manual:`LDAP Authorization </core/security-ldap-external>` sections in
+the MongoDB manual.
 
 Procedure
 ---------
 
-This procedure describes how to configure and enable LDAP
-authentication when using Automation. If |mms| doesn't manage
-{+magent+} or {+bagent+}, you must manually configure them to use
-|ldap|. To configure |ldap|, see
-:doc:`/tutorial/configure-mongodb-agent-for-ldap`
+This procedure describes how to:
 
-.. include:: /includes/note-reset-auth.rst
+- Configure and enable LDAP authentication when using Automation.
+- Rotate the LDAP password in |mms|, so that after that you can rotate
+  the LDAP password on the LDAP server as well and then start using the
+  new password seamlessly in |mms|.
+
+  If |mms| doesn't manage {+magent+} or {+bagent+}, you must manually
+  configure them to use |ldap|. To configure |ldap|, see
+  :doc:`/tutorial/configure-mongodb-agent-for-ldap`.
 
 .. include:: /includes/steps/enable-authentication-ldap.rst
+
+.. include:: /includes/note-reset-auth.rst