Working with LDAP users and user groups
You don’t explicitly add remote users to PE. Instead, after connecting external directory services, remote users log into PE, which creates their user records.
If the user belongs to an external directory group that has been imported into PE and assigned to a role, the user is assigned to that role and gains the permissions associated with that role. User permissions and user roles are additive: Users can be assigned to multiple roles and they gain the permissions of all the roles to which they are assigned.
When a user logs in for the first time, PE looks for the
user in your connected LDAP directories. If you have connected to multiple LDAP
directories, PE checks them in the order the directories
were added to PE. Once PE
locates the user, it stops checking the directories. Periodically, based on the ldap_sync_period_seconds
interval, PE checks that the user still exists in the directory and
pulls the latest group membership information. To learn more about the LDAP sync period
setting and what happens during an LDAP sync, refer to Configure RBAC and token-based authentication settings.
If the user is removed from their associated LDAP directory, their access is revoked during the next LDAP sync because PE can no longer find the user in the associated directory. If the user was added to another connected LDAP directory, or is re-added to the same directory, the next time the user logs in, the user is synchronized as if this was their first login (meaning that PE looks through all the directories until it locates the user).
If you have connected both LDAP and SAML, if a user initially logs in through SAML, their role assignments are configured based on your SAML authentication group configurations. If the user later logs in through LDAP, and PE identifies them as the same user that had previously logged in through SAML, then the user's SAML binding is revoked and replaced by the appropriate LDAP binding. If you have different PE roles assigned to your SAML and LDAP groups, then the user's groups change accordingly.
Import user groups from external directory services
You must explicitly import your external directory groups to PE by adding the group by its name.
Troubleshooting: A PE user and user group have the same name
If you have both a PE user and an external directory user group with the exact same name, PE throws an error when you try to log on as that user or import the user group.
To work around this problem, you can change your settings to use different RDNs for users and groups. This works as long as all of your users are contained under one RDN that is unique from the RDN that contains all of your groups.
Assign user groups to user roles
After importing a group, you must assign at least one user role to it. This grants the role's permissions to the group members. If you don't assign a role, the users in this group have no permissions.
If you are not using the default roles (which are described in User permissions and user roles) or any custom roles that you previously created, then you must Create user roles and Assign permissions to roles.
- In the console, on the Access control page, click the User roles tab.
- Click the role you want to add the user group to.
- Click Member groups. In the Group name field, select the user group you want to add to the user role.
- Click Add group, and commit changes.
- Repeat to assign roles to other imported groups.
Remove a user group
You can remove imported LDAP user groups in the PE console. Users associated with the deleted group lose the permissions associated with roles assigned to the group.
Removing a remote user’s access to PE
In order to fully revoke a remote user's access to Puppet Enterprise, you must also remove the user from the external directory service accessed by PE.
Deleting a remote user's local PE account does not automatically prevent that user from accessing PE in the future. As long as the remote user is still a member of a group in an LDAP external directory that PE can access, the user can still log into PE and still receives permissions from roles associated with their LDAP group membership.
If you delete a user from your LDAP external directory service but not from PE, the user can no longer log in. However, any generated
tokens or existing console sessions remain valid until they expire or are revoked by
automatic LDAP synchronization, which is controlled by the ldap_sync_period_seconds
parameter. For information about modifying this
parameter, see Console and console-services parameters.
To manually invalidate the user's tokens or sessions, you must Revoke the user's PE account, which also automatically revokes all tokens for the user. To fully remove the user's account record, you must manually Delete the user.