How to Configure LDAP Authentication in Teradata

To set up Lightweight Directory Access Protocol (LDAP) authentication for Teradata users who run Microsoft Active Directory in Windows, use the following procedure.

In the /opt/teradata/tdat/tdgss/site directory, edit the file TdgssUserConfigFile.xml. Change the following parameter with your ldap information.

AuthorizationSupported="no"

LdapServerName=""

LdapServerPort="389"

LdapServerRealm=""

LdapSystemFQDN=""

LdapBaseFQDN=""

Example:

In the procedure examples, the Active Directory domain is test01.samba.net.

AuthorizationSupported="no"

LdapServerName="test01.samba.net"

LdapServerPort="389"

LdapServerRealm="samba.net"

LdapSystemFQDN=""

LdapBaseFQDN="OU=AXPC Users,DC=samba,DC=net"

Apply the changes by running the configuration as follows.

#cd /opt/teradata/tdgss/bin

#./run_tdgssconfig

Test the configuration by running the following command. Consider a user test_ldap is created in Active Directory

# /opt/teradata/tdat/tdgss/14.10.03.01/bin/tdsbind -u test_ldap -w test_ldap

The output should be similar to the following.

LdapGroupBaseFQDN: OU=AXPC Users,DC=samba,DC=net

LdapUserBaseFQDN: OU=AXPC Users,DC=samba,DC=net

LdapSystemFQDN:

LdapServerName: test01.samba.net

LdapServerPort: 389

LdapServerRealm: samba.net

LdapClientUseTls: no

LdapClientTlsReqCert: never

LdapClientMechanism: SASL/DIGEST-MD5

LdapServiceBindRequired: no

LdapClientTlsCRLCheck: none

LdapAllowUnsafeServerConnect: yes

UseLdapConfig: no

AuthorizationSupported: no

FQDN: CN=test ldap ldap_test,OU=Anst,OU=AXPC Users,DC=samba,DC=net

AuthUser: ldap://test01.samba.net:389/CN=test%20ldap%20ldap_test,OU=Anst,OU=AXPC%20Users,DC=samba,DC=net

DatabaseName: ldap_test

Service: tdsbind

Restart TPA using the following command.

#tpareset -f "use updated TDGSSCONFIG GDO"

Create the same user in the Teradata database as in Active Directory, as shown following.

Now Create the test_ldap user in database.

CREATE USER test_ldap AS PERM=1000, PASSWORD=test_ldap;

GRANT LOGON ON ALL TO test WITH NULL PASSWORD;

If you change the user password in Active Directory for your LDAP user, you should specify this new password during connection to Teradata in LDAP mode. In DEFAULT mode, you still have to connect Teradata with the LDAP user name and any password that you set in database.

Descriptions of the Parameter in file TdgssUserConfigFile.xml

AuthorizationSupported:

If Authorization is not Supported

If the AuthorizationSupported property of the LDAP mechanism is set to no, un-mapped directory users having a username that matches a Teradata Database username:

• can log on and be authenticated by the directory

• inherit all the database privileges of the matching database user

Directory users whose usernames are not duplicated in the database cannot access the database.

If Authorization is Supported

If the AuthorizationSupported property of the LDAP mechanism is set to yes, it is usually because at least some directory users are mapped to Teradata Database users, roles, or profiles. Directory users not mapped to a Teradata Database user can be mapped to the system-generated pseudo-user EXTUSER, which allows them limited database access privileges.

LdapServerName:

The LdapServerName tells TDGSS which directory server or servers can be used for authentication.

LdapServerPort:

This property identifies the port designation for the LDAP service port

LdapServerRealm:

This property identifies the name of the SASL realm to be used by the directory server for authentication. Directory users logging on to Teradata Database must inhabit the realm specified in the logon string. Realm information comes from one of two sources:

• If the logon string does not specify a realm, then TDGSS uses the value of the LdapServerRealm property.

• If the logon string does specify a valid realm, that realm value will override the value of the LdapServerRealm property.

Note: This property is not considered if the directory uses non-SASL binding for user authentication.

LdapSystemFQDN:

This property identifies the fully qualified distinguished name (FQDN) of the directory object that contains the description of the Teradata Database server. This information helps to locate the system without resorting to a deep search of the directory.

LdapBaseFQDN:

The LdapBaseFQDN property contains the fully qualified distinguished name of a directory object that contains the User and Group object s, allowing them to be easily located. It constitutes the search base for objects relevant to the Teradata configuration. Note: This property is deprecated in favor of the LdapGroupBaseFQDN and LdapUserBaseFQDN properties. If the values of either LdapGroupBaseFQDN or LdapUserBaseFQDN are set (preferred), they will replace LdapBaseFQDN. The value of LdapBaseFQDN will serve as the default value for LdapGroupBaseFQDN and LdapUserBaseFQDN until such time as they are configured.