add inter-module links

1-server-install.rst

@@ -149,4 +149,9 @@ enrolling client machines, creating users, managing services, and
 more!
 
 To prepare for the next unit, exit the ``server`` SSH session (but
-do not shut the VM down).
+do not shut the VM down).  The next essential unit is
+`Unit 2: Enrolling client machines <2-client-install.rst>`_.
+
+Alternatively, if you would like to immediately install a replica
+server (essential for production deployments), you can take a detour
+to `Unit 7: Replica installation <7-replica-install.rst>`_.

10-ssh-key-management.rst

@@ -1,6 +1,10 @@
 Unit 10: SSH user and host key management
 =========================================
 
+**Prerequisites**
+
+- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_
+
 In this module you will explore how to use FreeIPA as a backend
 provider for SSH keys.  Instead of distributing ``authorized_keys``
 and ``known_hosts`` files, SSH keys are uploaded to their
@@ -125,3 +129,11 @@ keys to the FreeIPA server.
 **Note:** OpenSSH has already been configured to look up known hosts
 on the FreeIPA server, so no manual configuration is required for
 this section.
+
+
+Conclusion
+----------
+
+Congratulations!  This was the final topic in the workshop.
+If you skipped any units, you can reach them from the
+`curriculum overview <workshop.rst#Curriculum_overview>`_.

2-client-install.rst

@@ -51,3 +51,6 @@ Users in your FreeIPA domain can now log into FreeIPA-enrolled
 hosts, subject to *Host-based access control* (HBAC) rules.  Users
 logged onto the host can also acquire Kerberos tickets for accessing
 *services* in your domain.
+
+You can now move on to
+`Unit 3: User management and Kerberos authentication <3-user-management.rst>`_.

3-user-management.rst

@@ -120,3 +120,12 @@ is a true *single sign-on* protocol!
   Valid starting       Expires              Service principal
   06/04/2018 21:45:50  06/05/2018 21:38:24  host/client.ipademo.local@IPADEMO.LOCAL
   06/04/2018 21:38:41  06/05/2018 21:38:24  krbtgt/IPADEMO.LOCAL@IPADEMO.LOCAL
+
+
+Now that you have created some users, it's time to define some
+access policies.  Proceed to
+`Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_.
+
+Alternatively, if you are interested in SSH public key management
+for users and hosts, jump ahead to
+`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_.

4-hbac.rst

@@ -130,3 +130,12 @@ Then try ``alice``::
   [server]$ ssh alice@client.ipademo.local
   Creating home directory for alice.
   [alice@client]$
+
+
+This was the final mandatory unit in the workshop.  From here, there
+are several optional units you can choose from.  You can proceed
+directly to
+`Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_.
+Otherwise,
+`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
+to see all the options.

5-web-app-authnz.rst

@@ -301,3 +301,8 @@ Restart Apache and try and perform the same ``curl`` request again
 as ``alice``.  Everything should work as before because ``alice`` is
 a member of the ``sysadmin`` group.  What happens when you are
 authenticated as ``bob`` instead?
+
+This unit is now concluded.  Now that you have mastered web app
+authentication, you'll want to configure TLS for your site.  Proceed
+to
+`Unit 6: Certificate management <6-cert-management.rst>`_.

6-cert-management.rst

@@ -118,3 +118,10 @@ Restart Apache and make a request to the app over HTTPS::
     REMOTE_PORT: 51876
 
 
+You can now proceed to
+`Unit 7: Replica installation <7-replica-install.rst>`_
+or
+`Unit 8: Sudo rule management <8-sudorule.rst>`_.
+Otherwise,
+`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
+to see all the options.

7-replica-install.rst

@@ -45,3 +45,10 @@ replication of data to the new Directory Server instance::
   Update succeeded
 
 After ``ipa-replica-install`` finishes, the replica is operational.
+LDAP changes on any server will be replicated to all other servers.
+
+You can proceed to
+`Unit 8: Sudo rule management <8-sudorule.rst>`_
+or
+`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
+to see all the available topics.

8-sudorule.rst

@@ -1,6 +1,11 @@
 Unit 8: Sudo rule management
 ============================
 
+**Prerequisites**:
+
+- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
+- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
+
 Sudo is a program that allows users to run programs as another user
 with different privileges (possibly ``root``).  Sudo rules provide
 fine-grained control over who can execute which processes, as which
@@ -185,3 +190,7 @@ restart (or start) Apache, but not run other commands via ``sudo``::
   [sudo] password for bob:
   [bob@client]$ sudo id
   Sorry, user bob is not allowed to execute '/bin/id' as root on client.ipademo.local.
+
+
+This concludes the unit.  Now that you have Sudo rules working,
+proceed to `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_.

9-selinux-user-map.rst

@@ -1,6 +1,12 @@
 Unit 9: SELinux User Maps
 =========================
 
+**Prerequisites**:
+
+- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
+- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
+- `Unit 8: Sudo rule management <8-sudorule.rst>`_
+
 SELinux is a *mandatory access controls* mechanism for Linux,
 providing more powerful and flexible access control than traditional
 Unix permissions.  Users have an SELinux *context* consisting of a
@@ -118,3 +124,10 @@ the program being run::
   staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   sh-4.3# systemctl restart httpd
   sh-4.3#
+
+
+This concludes the unit.  You can now proceed to
+`Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_
+or
+`return to the curriculum overview <workshop.rst#Curriculum_overview>`_
+to see all the available topics.

workshop.rst

@@ -22,27 +22,21 @@ X.509 certificates for services.
 Curriculum overview
 -------------------
 
-- `Unit 1: Installing the FreeIPA server`_
-- `Unit 2: Enrolling client machines`_
-- `Unit 3: User management and Kerberos authentication`_
-- `Unit 4: Host-based access control (HBAC)`_
-- `Unit 5: Web application authentication and authorisation`_
-- `Unit 6: Certificate management`_
-- `Unit 7: Replica installation`_
-- `Unit 8: Sudo rule management`_
-- `Unit 9: SELinux User Maps`_
-- `Unit 10: SSH user and host key management`_
+Mandatory:
 
-.. _Unit 1\: Installing the FreeIPA server: 1-server-install.rst
-.. _Unit 2\: Enrolling client machines: 2-client-install.rst
-.. _Unit 3\: User management and Kerberos authentication: 3-user-management.rst
-.. _Unit 4\: Host-based access control (HBAC): 4-hbac.rst
-.. _Unit 5\: Web application authentication and authorisation: 5-web-app-authnz.rst
-.. _Unit 6\: Certificate management: 6-cert-management.rst
-.. _Unit 7\: Replica installation: 7-replica-install.rst
-.. _Unit 8\: Sudo rule management: 8-sudorule.rst
-.. _Unit 9\: SELinux User Maps: 9-selinux-user-map.rst
-.. _Unit 10\: SSH user and host key management: 10-ssh-key-management.rst
+- `Unit 1: Installing the FreeIPA server <1-server-install.rst>`_
+- `Unit 2: Enrolling client machines <2-client-install.rst>`_
+- `Unit 3: User management and Kerberos authentication <3-user-management.rst>`_
+- `Unit 4: Host-based access control (HBAC) <4-hbac.rst>`_
+
+Optional units—choose the topics that are relevant to you:
+
+- `Unit 5: Web application authentication and authorisation <5-web-app-authnz.rst>`_
+- `Unit 6: Certificate management <6-cert-management.rst>`_
+- `Unit 7: Replica installation <7-replica-install.rst>`_
+- `Unit 8: Sudo rule management <8-sudorule.rst>`_
+- `Unit 9: SELinux User Maps <9-selinux-user-map.rst>`_
+- `Unit 10: SSH user and host key management <10-ssh-key-management.rst>`_
 
 
 Editing files on VMs
@@ -256,3 +250,10 @@ On Unix systems (including Mac OS X), the hosts file is ``/etc/hosts``
 
 On Windows, edit ``C:\Windows\System32\system\drivers\etc\hosts`` as
 *Administrator*.
+
+
+Next step
+---------
+
+You are ready to begin the workshop.  Continue to
+`Unit 1: Installing the FreeIPA server <1-server-install.rst>`_.