7. External user database integration via LDAP (ActiveDirectory)¶
The “External user database integration via LDAP (ActiveDirectory)” chapter contains information only needed for local Cerebro installations (see: “Local (On-premises) Deployment”).
You can setup Cerebro to use external user account database through LDAP. At the present moment you can import users from ActiveDirectory, however it is possible to configure Cerebro to work with any LDAP server.
Users logged under ActiveDirectory accounts (works for Windows only) can access Cerebro account without entering password.
If your working environment does not support ActiveDirectory (i.e. any non-Windows environment), it is possible to set up logging in using your domain credentials anyway. Your e-mail address might be used as your login.
7.2. How does it work¶
There is script that synchronizes user accounts in Cerebro database via LDAP. It is run by Cargador service at set time intervals. Synchronization process uses external directory to copy main user attributes such as:
- Email address;
- Globally unique user security identifier— SID. It is the primary key for database record.
This is done by a script which is launched by Cargador from time to time. The script can be run in any supported environment.
If user works under Active Directory account, Cerebro client will retrieve his SID and send it to database as login. It is convenient but insecure a method, because user SID is not confidential. We recommend using this method only in trusted LAN (or VPN).
You may restrict authentication methods by IP-masks with Host-based Authentication (see: “Configuration of Host-based Database Authentication”).
If users log into Cerebro not using ActiveDirectory (working from home, or on Linux), they can log in with their Domain credentials anyway. In this case, Cerebro database attempts to authenticate using LDAP (bind_s method). So, because login to Cerebro can cause login to LDAP, it is recommended to have a sustainable connection between the domain controller and the Cerebro database.
7.3. Synchronisation configuration¶
The configuration consists of two stages. The big part of configuration is done through Cerebro GUI. The other part can be set up in Cargador configuration files.
7.3.1. Cerebro GUI part¶
To access ActiveDirectory authentication settings go to Administrator (Main menu/Tools/Administrator) and then to Universe tab.
Press AD… button in the top left part of the Universe tab. A new window - ActiveDirectory Authentication Configuration will appear.
then follow instructions displayed in this window.
Besides the configuration that is done in Cerebro interface, you should configure Cargador service as described in the next chapter.
7.3.2. Cargador configuration¶
Cargador service synchronizes user account data with ActiveDirectory.
After you have done the initial setup in Cerebro GUI (see: “Cerebro GUI part”) you need to set the following parameters in <Path to Cargador>/cron_conf.py file:
- DB_* parameter group — it is required to read configurations from DB;
- OPTS.ldap_user — LDAP service login used to read user database;
- OPTS.ldap_pswd — password;
- We also recommend to set up SMTP parameters, so the system will send error notifications if something goes wrong.
7.3.3. Adding Active Directory User Accounts to Cerebro¶
After you have configured the synchronization (see chapters above) you can import user accounts from ActiveDirectory to Cerebro.
It is done in Administrator window (Main menu/Tools/Administrator), on the Users tab.
You can either create new Cerebro accounts, or bind existing Cerebro accounts with corresponding ActiveDirectory credentials.
If a user has separate accounts for Cerebro and for ActiveDirectory, you can bind them together. After that the Cеrebro account will gain some attributes of the domain account, such as user’s name and e-mail, and the user will be able to log into Cerebro with the domain credentials.
To bind the accounts together, select user from the list and switch their account type from Standard to ActiveDirectory as shown below.
You can use Ctrl key to select multiple accounts at once to switch them to AD-type accounts simultaneously.
After you change Cerebro account type, a new window will appear where you should select a corresponding domain account to bind it with.
The top checkbox filters ActiveDirectory accounts and displays only those that match with user profiles in Cerebro.
Adding New User Accounts
Run a corresponding wizard to add user accounts from ActiveDirectory.
On the first step you can select one or more user accounts which you want to add to Cerebro. The next steps are the same as those for creating new users from scratch. The difference is that when wizard finds user profiles that match with Cerebro user accounts (marked in blue), it offers you to bind them together.
The ActiveDirectory users whose accounts have been added to Cerebro will be able to log into Cerebro using their ActiveDirectory credentials from now on.
If you want to disconnect an ActiveDirectory user account from its Cerebro counterpart, switch the Cerebro account type back to Standard.
7.3.4. Logging in Cerebro with domain credentials¶
Once you set up ActiveDirectory synchronization and added users to Cerebro, those users will be able to log into Cerebro using their domain account.
Log in without entering a login and password is only possible if the user starts Cerebro from a Windows-based computer already logged into a domain network. The type of authentication is selected by clicking an ActiveDirectory authentication option on a Cerebro login screen (see the picture below).
In other cases other than logging in Cerebro from a domain network workstation, the Login or E-mail option must be selected.In other cases you should switch authentication type to Login or E-mail and use Cerebro login and password.