Require LDAP group membership to log in

You can use the exclude-groupless-ldap-users setting to prevent LDAP users with no group bindings from logging in and creating Puppet Enterprise (PE) accounts. This setting is disabled by default.

On your primary server, navigate to /etc/puppetlabs/console-services/conf.d/ and create a new .conf file at this location.

Paste the following into the .conf file:

rbac: {
   feature-flags: {
    exclude-groupless-ldap-users: true
  }
}

To merge this setting into your RBAC configuration, run Puppet on your primary server: puppet agent -t

Related information

Managing access
Configure RBAC and token-based authentication settings