Configure LDAP

Continuous Delivery for Puppet Enterprise (PE) supports use of the Lightweight Directory Access Protocol (LDAP) for managing user authentication. After configuring LDAP, use group mapping to associate your existing LDAP groups with role-based access control (RBAC) groups in Continuous Delivery for PE.

For organizational or failover protection purposes, you can add multiple LDAP configurations, each specifying a separate LDAP server, to your Continuous Delivery for PE instance. Continuous Delivery for PE uses the LDAP configurations you set up to search LDAP users in a specified order. Once a user is found, the search ends and that LDAP configuration is used to perform the login operation.

Note: If your LDAP server has a search result limitation below 500, you'll need to Configure LDAP server search result limits.

Create a new LDAP configuration

Add an LDAP configuration to Continuous Delivery for Puppet Enterprise (PE) by providing key information on the mapping of user and group attributes in your LDAP server implementation.

A super user or the root user must perform this task.
  1. Log into the root console by signing in as the root user or by selecting Root console from the workspaces menu at the top of the Continuous Delivery for PE navigation bar.
  2. Click Settings and click the Single sign on tab if you are not already on it.
  3. Select LDAP and click Add LDAP configuration.
  4. In the New LDAP configuration window, enter the configuration information as per the instructions below.
    Name
    A friendly identifier for this LDAP configuration. You can't change this, so choose carefully.
    Endpoint URL
    The LDAP server's endpoint URL, including the LDAP scheme, hostname, and port. If these aren’t included, the default scheme is ldaps and the default port is 636.
    Bind DN
    The distinguished name of the LDAP account that Continuous Delivery for PE binds as when performing LDAP operations. Usually, this is an admin account or a service account created specifically for Continuous Delivery for PE. If you create a new account, make sure it has permission to search for users and groups.
    Bind DN password
    The password associated with the bind DN account.
    Note: You must enter this password each time you update the LDAP configuration. You don't have to enter the password when you disable the LDAP configuration.
    User base DN
    The LDAP base DN that informs Continuous Delivery for PE where users are located in the directory. Using a more specific DN results in better LDAP search performance.
    User attribute
    The LDAP user attribute that maps LDAP users to Continuous Delivery for PE usernames. Usually, this is the mail attribute, but you can use any attribute as long as the LDAP database doesn't contain any duplicate values for that attribute.
    Optional: User base filter
    A filter that Continuous Delivery for PE can use to restrict user search results. This is useful in edge cases where you want to include or exclude certain users.
    Group base DN
    The LDAP base DN that informs Continuous Delivery for PE where groups are located in the directory. Using a more specific DN results in better LDAP search performance.
    Note: If users and groups are stored in the same location, the Group base DN is the same as the User base DN.
    Group user attribute
    The user attribute that group entries use to identify users. Usually, this is dn.
    Group member attribute
    The group attribute that maps to a group member. Usually, this is either member or uniqueMember.
    Group name attribute
    The group attribute that identifies the group name. Usually, this is cn.
    Optional: Group base filter
    A filter that Continuous Delivery for PE can use to restrict group search results. This is useful in edge cases where you want to include or exclude certain groups.
    User object class
    Specifies the value of the objectClass attribute that allows Continuous Delivery for PE to query user entries. Usually, this is either user or person.
    Group object class
    Specifies the value of the objectClass attribute that allows Continuous Delivery for PE to query group entries. Usually, this is either group or groupOfUniqueNames.
    Optional: Mail attribute
    The LDAP user attribute used to identify each member's email address. Defaults to mail if unset.
    Optional: User member attribute
    Specifies the user attribute that can be used to identify the membership of a group. If present, this is usually memberOf.
  5. Optional: Enter the trusted server's CA certificate. If the LDAP server uses a certificate signed by a trusted CA, you do not need to enter a CA certificate here.
  6. Select the Priority number for this LDAP configuration. If you have multiple LDAP configurations, this number indicates the order in which Continuous Delivery for PE searches for users in your LDAP configurations during login and when synchronizing groups.
  7. Optional: Set the toggle to enable recursive LDAP queries for nested groups. This option is available only if your LDAP server's implementation supports the ExtensibleMatch search filter.
  8. Optional: Set the toggle to enable use of login filtering. When enabled, users who are not part of mapped LDAP groups are not allowed to log in to Continuous Delivery for PE.
  9. Activate the Enable LDAP switch and click Run configuration test to check the connection between Continuous Delivery for PE and the LDAP server.
    Note: This configuration test checks the LDAP server connection; it does not test the other configuration options.
  10. Click Save configuration. Your new LDAP configuration is shown on the Single sign on settings page, where you can edit or delete the configuration.
    Important: Once you enable an LDAP configuration, Continuous Delivery for PE automatically disables all local Continuous Delivery for PE accounts other than the root account, and it attempts to use LDAP authentication. If LDAP authentication fails, navigate to <YOUR CD4PE WEB UI ENDPOINT>/root/login, sign in as the root user, and adjust the LDAP settings.

Create an LDAP group map

After adding an LDAP configuration to Continuous Delivery for Puppet Enterprise (PE), use group maps to map your existing LDAP groups to Continuous Delivery for PE RBAC groups. This makes it possible to mirror LDAP group membership in Continuous Delivery for PE groups.

Before you begin
You must add at least one LDAP configuration to your Continuous Delivery for PE instance before you can create an LDAP group map.
  1. Log in to the root console by navigating to <YOUR CD4PE WEB UI ENDPOINT>/root/login and signing in as the root user.
  2. Click Settings and click the Single sign on tab if you are not already on it.
  3. Click LDAP > Manage groups > Add LDAP group mapping.
  4. From the LDAP configuration name list, select the LDAP configuration you want to create group mapping for.
  5. From the LDAP group name list, select the group to use to perform the mapping.
    Tip: You can search for groups by name (partial matches and case-insensitive matches allowed) or distinguished name (case-insensitive matches allowed).
  6. Select a Continuous Delivery for PE account associated with the RBAC group you want to map to the selected LDAP group.
  7. From the list of available Continuous Delivery for PE RBAC groups, select the RBAC group you want to map to the selected LDAP group.
  8. Click Add group mapping.
Results
After setting up a group map, Continuous Delivery for PE synchronizes with your LDAP groups based on the mapping you created.