Skip to content
Documentation that outlines the process for using Google Cloud Directory as an external directory for Puppet Enterprise
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Google Cloud Directory for PE

This README documents the process and configuration needed to connect Puppet Enterprise to Google Cloud Directory as an external directory for managing RBAC. While this configuration has been validated there are caveats, Puppet Enterprise only officially supports Active Directory or OpenLDAP and you'll be required to configure stunnel to handle encryption and authentication of your PE console services to Google's LDAP frontend due to Google's requirement for certificate based client authentication not currently supported in Puppet Enterprise for LDAP external directories.

A request to support client certificate authentication in the Puppet Enterprise console's external directory configuration has been submitted but the feature has not yet been roadmapped.

Manual method

  1. Setup and create a client certificate for Google Cloud Directory

    • Begin specifically with the items indicated as 1, 2, 3, and 5 in the linked support article
    • After finishing the previous process Puppet Enterprise requires you to provision Access credentials
    Additional Google Cloud Directory setup
    1. Return to the LDAP app that lists the clients that you've provisioned and select the client you previously provisioned for the use with PE, in my example I named mine Secure LDAP Docs

    Image of LDAP Admin Console

    1. This'll open the client's settings pane which should near the bottom have panel Authentication that lists 1 certificate and 0 access credentials, click on Access Credentials

    Image of LDAP Clients Settings

    1. Scroll down the new pane and click GENERATE NEW CREDNTIALS and a new random user name and password will be created

    Image of LDAP Client Auth

    1. Save the credentials provided in the resulting popup pane, you won't be able to retrieve after dismissing the pane

    Image of LDAP Access Cred

  2. Setup Puppet Enterprise to your liking if you haven't already done so

  3. Setup stunnel

Installing stunnel on Ubuntu

  • Package installation

apt install stunnel4

  • Create the configuration file /etc/stunnel/google-ldap.conf with the following contents (change the ldap-client.key and ldap-client.cert to reflect the name of the certificate downloaded during Google Cloud Directory setup and client certificate creation)
client = yes
accept =
connect =
cert = /etc/stunnel/ldap-client.crt
key = /etc/stunnel/ldap-client.key
  • Upload LDAP client certificate and key obtained previously to the machine running your Puppet Enterprise console services and place them into the /etc/stunnel directory

  • Enable stunnel, edit /etc/default/stunnel4 so that ENABLED=1

  • Start/restart stunnel

systemctl restart stunnel4

  1. Configure Puppet Enterprise external directory
  • In the following example configuration you'll see a need for Lookup user and Lookup password, these were provisioned and provided to you as Access credentials once you completed the additional Google Cloud Directory setup.
  • From within Puppet Enterprise, SSL functionality for communicating with LDAP has been disabled in order to make it possible to leverage stunnel to do the certificate based authentication that is required by Google Cloud Directory; credentials are encrypted by stunnel is this configuration
Name Example Google Cloud Directory settings
Directory name Google Cloud Directory (
Login help (optional)
Port 1636
Lookup user (optional) ExampleCloudDirectoryUser
Lookup password (optional) the_secure_ldap_provisioned_password
Connection timeout (seconds) 30
Connect using: Plain text (insecure connection)
Validate the hostname? No
Allow wildcards in SSL certificate? No
Base distinguished name dc=example,dc=com
User login attribute uid
User email address mail
User full name displayName
User relative distinguished name (optional) ou=Users
Group object class groupOfNames
Group membership field memberUid
Group name attribute displayName
Group lookup attribute cn
Group relative distinguished name (optional) ou=Groups
Search nested groups? Yes
You can’t perform that action at this time.