Logging in

Accessing the Puppet Enterprise (PE) console requires a username and password.

If you are an administrator configuring or accessing the PE console for the first time, use the username and password you chose when you installed PE. Otherwise, get credentials from your site's administrator.

Because the console is your infrastructure's main control point, don't allow your browser to store the login credentials.

Generate a user password reset token

When users forget their passwords or lock themselves out of the console by providing incorrect credentials too many times, you must generate a password reset token.

  1. In the console, on the Access control page, click the Users tab.
  2. Click the name of the user who needs a password reset token.
  3. Click Generate password reset, copy the link, and send it to the user.

Reset the console administrator password

If you're unable to log in to the console as admin, you can change the password from the command line of the node that is running console services.

  1. On the node running console services (usually your primary server), log in as root.
  2. To reset the console admin password, run:
    puppet infrastructure console_password --password=<MY_PASSWORD>

Troubleshooting PE admin account access

You might encounter these situations when trying to log in as the Puppet Enterprise (PE) admin user.

Multiple admin users

If your directory has multiple users with admin as their login name, the PE admin account can't log in.

PE admin locked out

If you are locked out of the PE admin account, ask another use with administrator access to Generate a user password reset token for the admin user.

If there are no other users who can reset the admin user's password, you must SSH into the box and use curl commands to reset the directory service settings. For example, this curl command is for a box named centos7:
type_header='Content-Type: application/json'
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/rbac-api/v1/ds"

curl --header "$type_header" --cert "$cert" --cacert "$cacert" --key "$key" --request PUT "$uri" --data "$data"

For general information about forming curl commands, authentication in commands, and Windows modifications, go to Using example commands.

Create a custom login disclaimer

You can add a custom banner to console login page. For example, you can add a disclaimer about authorized or unauthorized use of private information found in the console.

These steps explain how to use a disclaimer.txt file for your custom disclaimer. You can also use the RBAC API Disclaimer endpoints to configure the disclaimer without needing to reference a specific file location on disk.
  1. Create a disclaimer.txt file containing the disclaimer content.
  2. Place the file in /etc/puppetlabs/console-services
    If you want to store the file somewhere else, you can change the disclaimer file path in the console by configuring puppet_enterprise::profile::console::disclaimer_content_path
  3. Log in to the console to test the new banner.

Require LDAP group membership to log in

You can use the exclude-groupless-ldap-users setting to prevent LDAP users with no group bindings from logging in and creating Puppet Enterprise (PE) accounts. This setting is disabled by default.

  1. On your primary server, navigate to /etc/puppetlabs/console-services/conf.d/ and create a new .conf file at this location.
  2. Paste the following into the .conf file:
    rbac: {
       feature-flags: {
        exclude-groupless-ldap-users: true
  3. To merge this setting into your RBAC configuration, run Puppet on your primary server: puppet agent -t