Puppet Enterprise - AD authentication with multiple "default" roles
We've got Active Directory configured as third-party authentication per http://docs.puppetlabs.com/pe/latest/console_config.html#configuring-third-party-authentication-services .
Currently, we are pointing to a single AD group using a filter directive in rubycas-server/config.yml:
This is referenced via console-auth/casclientconfig.yml with a default_role of read-write:
activedirectoryldap: default_role: read-write
description: Active Directory
However, I'd like to be able to also add folks to a different AD group and be able to give them read-only access to Puppet Enterprise.
Any idea if this is possible?