Configure RBAC and token-based authentication settings

An integer specifying how many failed login attempts are allowed on an account before the account is revoked.

Default: 10

An integer representing the number of hours that password reset tokens are valid.

An administrator generates these token for users to reset their passwords.

Default: 24

An integer representing, in minutes, how long a user's session can last.

The session length is the same for node classification, RBAC, and the console.

Default: 60

A string representing the default authentication lifetime for a token.

The value is formatted as string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).

Default: "1h" (one hour)

A string representing the maximum allowable lifetime for all tokens.

The value is formatted as a string consisting of a number followed by a suffix representing a unit of time: y (years), d (days), h (hours), m (minutes), or s (seconds).

Default: 10y (10 years)

An integer specifying, in minutes, how often the application checks for idle user accounts.

Default: 60 minutes

An integer specifying, in days, the duration before an inactive user account expires.

The default value is undefined. To activate this feature, specify a positive integer of 1 or greater.

When non-superusers don't log into the console during the specified period, their user status changes to revoked. This also applies to new accounts – The inactivity timer starts once the account is created.

An integer specifying, in seconds, the interval at which LDAP group membership associations are synchronized.

The default value is 1800 (30 minutes).

This synchronization refreshes group membership for every LDAP user in the system, regardless of the last time the user logged in. If a user is no longer present in LDAP or has no group bindings, then all user-group associations are removed from the user and all of the user's known tokens are revoked; however, the user object itself is not removed. If a user is present in LDAP and has group bindings, this synchronization updates the user's group membership, user name, and descriptions (if this data had changed).

To disable automatic synchronization, set the value to 0 or a negative integer. When disabled, user names, descriptions, and group membership only refresh when users log in.

When enabled, various entries are recorded to console-services.log that indicate whether the service is enabled and when each synchronization event has completed. If you enabled SAML after LDAP, these logs can show tokens being revoked in associated with past LDAP users if those users haven't logged in through SAML.

An array specifying the ciphers to use when establishing connections to configured LDAP servers.

Default: $puppet_enterprise::ssl_cipher_suites. This default value captures the array of ciphers specified by the puppet_enterprise::ssl_cipher_suites parameter. For information on ciphers you can use for console services, see Compatible ciphers.