Working with LDAP users and user groups

You don’t explicitly add remote users to PE. Instead, after connecting external directory services, remote users log into PE, which creates their user records.

If the user belongs to an external directory group that has been imported into PE and assigned to a role, the user is assigned to that role and gains the permissions associated with that role. User permissions and user roles are additive: Users can be assigned to multiple roles and they gain the permissions of all the roles to which they are assigned.

When a user logs in for the first time, PE looks for the user in your connected LDAP directories. If you have connected to multiple LDAP directories, PE checks them in the order the directories were added to PE. Once PE locates the user, it stops checking the directories. Periodically, based on the ldap_sync_period_seconds interval, PE checks that the user still exists in the directory and pulls the latest group membership information. To learn more about the LDAP sync period setting and what happens during an LDAP sync, refer to Configure RBAC and token-based authentication settings.

If the user is removed from their associated LDAP directory, their access is revoked during the next LDAP sync because PE can no longer find the user in the associated directory. If the user was added to another connected LDAP directory, or is re-added to the same directory, the next time the user logs in, the user is synchronized as if this was their first login (meaning that PE looks through all the directories until it locates the user).

If you have connected both LDAP and SAML, if a user initially logs in through SAML, their role assignments are configured based on your SAML authentication group configurations. If the user later logs in through LDAP, and PE identifies them as the same user that had previously logged in through SAML, then the user's SAML binding is revoked and replaced by the appropriate LDAP binding. If you have different PE roles assigned to your SAML and LDAP groups, then the user's groups change accordingly.