To set up Lightweight Directory Access Protocol (LDAP) authentication for Teradata users who run Microsoft Active Directory in Windows, use the following procedure.
In the /opt/teradata/tdat/tdgss/site directory, edit the file TdgssUserConfigFile.xml. Change the following parameter with your ldap information.
AuthorizationSupported="no"
LdapServerName=""
LdapServerPort="389"
LdapServerRealm=""
LdapSystemFQDN=""
LdapBaseFQDN=""
Example:
In the procedure examples, the Active Directory domain is test01.samba.net.
AuthorizationSupported="no"
LdapServerName="test01.samba.net"
LdapServerPort="389"
LdapServerRealm="samba.net"
LdapSystemFQDN=""
LdapBaseFQDN="OU=AXPC Users,DC=samba,DC=net"
Apply the changes by running the configuration as follows.
#cd /opt/teradata/tdgss/bin
#./run_tdgssconfig
Test the configuration by running the following command. Consider a user test_ldap is created in Active Directory
# /opt/teradata/tdat/tdgss/14.10.03.01/bin/tdsbind -u test_ldap -w test_ldap
The output should be similar to the following.
LdapGroupBaseFQDN: OU=AXPC Users,DC=samba,DC=net
LdapUserBaseFQDN: OU=AXPC Users,DC=samba,DC=net
LdapSystemFQDN:
LdapServerName: test01.samba.net
LdapServerPort: 389
LdapServerRealm: samba.net
LdapClientUseTls: no
LdapClientTlsReqCert: never
LdapClientMechanism: SASL/DIGEST-MD5
LdapServiceBindRequired: no
LdapClientTlsCRLCheck: none
LdapAllowUnsafeServerConnect: yes
UseLdapConfig: no
AuthorizationSupported: no
FQDN: CN=test ldap ldap_test,OU=Anst,OU=AXPC Users,DC=samba,DC=net
AuthUser: ldap://test01.samba.net:389/CN=test%20ldap%20ldap_test,OU=Anst,OU=AXPC%20Users,DC=samba,DC=net
DatabaseName: ldap_test
Service: tdsbind
Restart TPA using the following command.
#tpareset -f "use updated TDGSSCONFIG GDO"
Create the same user in the Teradata database as in Active Directory, as shown following.
Now Create the test_ldap user in database.
CREATE USER test_ldap AS PERM=1000, PASSWORD=test_ldap;
GRANT LOGON ON ALL TO test WITH NULL PASSWORD;
If you change the user password in Active Directory for your LDAP user, you should specify this new password during connection to Teradata in LDAP mode. In DEFAULT mode, you still have to connect Teradata with the LDAP user name and any password that you set in database.
Descriptions of the Parameter in file TdgssUserConfigFile.xml
AuthorizationSupported:
If Authorization is not Supported
If the AuthorizationSupported property of the LDAP mechanism is set to no, un-mapped directory users having a username that matches a Teradata Database username:
• can log on and be authenticated by the directory
• inherit all the database privileges of the matching database user
Directory users whose usernames are not duplicated in the database cannot access the database.
If Authorization is Supported
If the AuthorizationSupported property of the LDAP mechanism is set to yes, it is usually because at least some directory users are mapped to Teradata Database users, roles, or profiles. Directory users not mapped to a Teradata Database user can be mapped to the system-generated pseudo-user EXTUSER, which allows them limited database access privileges.
LdapServerName:
The LdapServerName tells TDGSS which directory server or servers can be used for authentication.
LdapServerPort:
This property identifies the port designation for the LDAP service port
LdapServerRealm:
This property identifies the name of the SASL realm to be used by the directory server for authentication. Directory users logging on to Teradata Database must inhabit the realm specified in the logon string. Realm information comes from one of two sources:
• If the logon string does not specify a realm, then TDGSS uses the value of the LdapServerRealm property.
• If the logon string does specify a valid realm, that realm value will override the value of the LdapServerRealm property.
Note: This property is not considered if the directory uses non-SASL binding for user authentication.
LdapSystemFQDN:
This property identifies the fully qualified distinguished name (FQDN) of the directory object that contains the description of the Teradata Database server. This information helps to locate the system without resorting to a deep search of the directory.
LdapBaseFQDN:
The LdapBaseFQDN property contains the fully qualified distinguished name of a directory object that contains the User and Group object s, allowing them to be easily located. It constitutes the search base for objects relevant to the Teradata configuration. Note: This property is deprecated in favor of the LdapGroupBaseFQDN and LdapUserBaseFQDN properties. If the values of either LdapGroupBaseFQDN or LdapUserBaseFQDN are set (preferred), they will replace LdapBaseFQDN. The value of LdapBaseFQDN will serve as the default value for LdapGroupBaseFQDN and LdapUserBaseFQDN until such time as they are configured.