8. Configuration of Host-based Database Authentication¶
The “Configuration of Host-based Database Authentication” chapter contains information only needed for local Cerebro installations (see: “Local (On-premises) Deployment”).
Host-based authentication allows to configure IP address-based database access policy. It is used to specify single IP addresses or IP address ranges allowed / forbidden to connect to Cerebro.
Database access policy is given for different connection methods, like direct Cerebro authentification or Active Directory domain or current session authentification.
If there is no policy specified for the particular authentication method, the connection is allowed from any IP address. If there is a policy specified, the IP address masks are checked until the first match. If no matches found, access is implicitly denied.
To access HBA settings go to Administrator (Main menu/Tools/Administrator) and then to Universe tab.
Press HBA… button in the top left part of the Universe tab. A new window – Host-based Authentication Configuration will appear.
Add IP addresses or address ranges in CIDR-ADDRESS format for hosts that are allowed or denied to connect to Cerebro.
- Cerebro PASS – default authentication by Cerebro login;
- AD Session – ActiveDirectory authentication by current session (see: “External user database integration via LDAP (ActiveDirectory)”);
- AD PASS – ActiveDirectory authentication by login and password.
Address order matters, because addresses are checked for every method from top to bottom until the first complete match.