There is script that synchronizes user accounts in Cerebro database via LDAP. It is run by Cargador service at set time intervals. Synchronization process uses external directory to copy main user attributes such as:
- Email address;
- Globally unique user security identifier— SID. It is the primary key for database record.
This is done by a script which is launched by Cargador from time to time. The script can be run in any supported environment.
If user works under Active Directory account, Cerebro client will retrieve his SID and send it to database as login. It is convenient but insecure a method, because user SID is not confidential. We recommend using this method only in trusted LAN (or VPN).
You may restrict authentication methods by IP-masks with Host-based Authentication (see: “Configuration of Host-based Database Authentication”).
If users log into Cerebro not using ActiveDirectory (working from home, or on Linux), they can log in with their Domain credentials anyway. In this case, Cerebro database attempts to authenticate using LDAP (bind_s method). So, because login to Cerebro can cause login to LDAP, it is recommended to have a sustainable connection between the domain controller and the Cerebro database.