Working with LDAP users and user groups

You don’t explicitly add remote users to PE. Instead, after connecting external directory services, remote users log into PE, which creates their user records.

If the user belongs to an external directory group that has been imported into PE and assigned to a role, the user is assigned to that role and gains the permissions associated with that role. User permissions and user roles are additive: Users can be assigned to multiple roles and they gain the permissions of all the roles to which they are assigned.

When a user logs in for the first time, PE looks for the user in your connected LDAP directories. If you have connected to multiple LDAP directories, PE checks them in the order the directories were added to PE. Once PE locates the user, it stops checking the directories. Periodically, based on the ldap_sync_period_seconds interval, PE checks that the user still exists in the directory and pulls the latest group membership information. To learn more about the LDAP sync period setting and what happens during an LDAP sync, refer to Configure RBAC and token-based authentication settings.

If the user is removed from their associated LDAP directory, their access is revoked during the next LDAP sync because PE can no longer find the user in the associated directory. If the user was added to another connected LDAP directory, or is re-added to the same directory, the next time the user logs in, the user is synchronized as if this was their first login (meaning that PE looks through all the directories until it locates the user).

If you have connected both LDAP and SAML, if a user initially logs in through SAML, their role assignments are configured based on your SAML authentication group configurations. If the user later logs in through LDAP, and PE identifies them as the same user that had previously logged in through SAML, then the user's SAML binding is revoked and replaced by the appropriate LDAP binding. If you have different PE roles assigned to your SAML and LDAP groups, then the user's groups change accordingly.

Import user groups from external directory services

You must explicitly import your external directory groups to PE by adding the group by its name.

Before you begin
You must Connect to external directory services before you can import groups.
  1. In the console, on the Access control page, click the User groups tab.
    User groups is available only if you have established a connection with an external directory.
  2. If you have multiple LDAP directories, select the directory that has the group you want to import.
  3. In the Login field, enter the name of a group from your external directory.
  4. Click Add group.
    Important: Immediately after importing a group, the group has neither roles nor user members.

    Group members populate when users who belongs to the group log in to PE.

    You must Assign user groups to user roles to grant permissions to the members of this group. If you don't assign a role, the members of this group can't do anything in PE.

    If you disconnect an LDAP directory that has imported groups, all users and groups associated with that directory are removed from PE RBAC.

  5. Repeat these steps to import more groups.

Troubleshooting: A PE user and user group have the same name

If you have both a PE user and an external directory user group with the exact same name, PE throws an error when you try to log on as that user or import the user group.

To work around this problem, you can change your settings to use different RDNs for users and groups. This works as long as all of your users are contained under one RDN that is unique from the RDN that contains all of your groups.

Assign user groups to user roles

After importing a group, you must assign at least one user role to it. This grants the role's permissions to the group members. If you don't assign a role, the users in this group have no permissions.

Before you begin
Before assigning roles to groups, you must Import user groups from external directory services.

If you are not using the default roles (which are described in User permissions and user roles) or any custom roles that you previously created, then you must Create user roles and Assign permissions to roles.

  1. In the console, on the Access control page, click the User roles tab.
  2. Click the role you want to add the user group to.
  3. Click Member groups. In the Group name field, select the user group you want to add to the user role.
  4. Click Add group, and commit changes.
  5. Repeat to assign roles to other imported groups.

Remove a user group

You can remove imported LDAP user groups in the PE console. Users associated with the deleted group lose the permissions associated with roles assigned to the group.

Important: This action removes the LDAP group only from PE, not from the associated external directory service.
  1. In the console, on the Access control page, click the User groups tab.
    User groups is available only if you have established a connection with an external directory.
  2. Locate the group that you wish to remove from PE.
  3. Click Remove.

Removing a remote user’s access to PE

In order to fully revoke a remote user's access to Puppet Enterprise, you must also remove the user from the external directory service accessed by PE.

Deleting a remote user's local PE account does not automatically prevent that user from accessing PE in the future. As long as the remote user is still a member of a group in an LDAP external directory that PE can access, the user can still log into PE and still receives permissions from roles associated with their LDAP group membership.

If you delete a user from your external directory service but not from PE, the user can no longer log in, but any generated tokens or existing console sessions continue to be valid until they expire or are revoked by automatic LDAP synchronization (controlled by the ldap_sync_period_seconds parameter). To manually invalidate the user's tokens or sessions, you must Revoke the user's PE account, which also automatically revokes all tokens for the user. To fully remove the user's account record, you must manually Delete the user.