Connecting LDAP external directory services to PE

Puppet Enterprise connects to external Lightweight Directory Access Protocol (LDAP) directory services through its role-based access control (RBAC) service. Because PE integrates with cloud LDAP service providers, such as Okta, you can use the users and user groups that already exist in your external directory service.

Specifically, you can:

Connect multiple LDAP directory services.
Authenticate external directory users.
Authorize access for external directory users based on RBAC permissions.
Store and retrieve group and group membership information from your external directory.
Puppet stores local accounts and directory service integration credentials securely. Local account passwords are hashed using SHA-256 multiple times, along with a 32-bit salt. To update the algorithm to argon2id (only for non-FIPS enabled systems) or to configure password algorithm parameters, refer to Configure the password algorithm. Directory service lookup credentials configured for directory lookup purposes are encrypted using AES-128. Puppet does not store the directory credentials used for authenticating to Puppet. These are different from the directory service lookup credentials.

PE supports OpenLDAP and Active Directory. If you have predefined groups in OpenLDAP or Active Directory, you can import these groups into the console and assign user roles to them, as explained in Working with LDAP users and user groups. Users in an imported group inherit the permissions specified in the group's assigned user roles. If new users are added to the group in the external directory, they also inherit the permissions of the role to which that group belongs.

The connection to OpenLDAP and Active Directory is read-only. If you want to make changes to remote users or user groups, you need to edit the information directly in the external directory.