17.10 - Setting Up Directory Authentication and Authorization - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
  1. Enable external authentication in the database. See About External Authentication Controls.
    • For the Vantage nodes with gateway installed, run:
      gtwcontrol -a ON
    • And, on all Vantage nodes, run dbscontrol and enter m g 26 0
      dbscontrol m g 26 0
  2. Grant external authentication privileges to the matching database users. See About External Authentication Requirements.
  3. Verify that the TdgssUserConfigFile.xml contains the following settings. Run dumpcfg to view the TDGSS configuration.
    • MechanismEnabled = “yes” (on both the server and clients)
    • AuthorizationSupported = “yes” (on all database nodes)

      If AuthorizationSupported is not set to yes, the directory user can only have the database privileges available to the matching database username.

  4. (Optional) To use auto provisioning enable the DBSControl AutoProvision parameter.
    dbscontrol m g 81 T
  5. Configure the required LDAP mechanism properties in the TdgssUserConfigFile.xml. See Directory Identification and Search Properties:
    • LdapServerName
    • LdapServerRealm (on some systems)
  6. Complete edits for the TdgssUserConfigFile.xml and enable them on the systems. The changes are made in the are made in the TDGSS site directory. See Changing the TDGSS Configuration. For database nodes, perform the steps in Making Changes to TdgssUserConfigFile.xml on Database Nodes.
  7. To configure Unity servers, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.
  8. Set the LDAP mechanism as the default on all affected clients, or instruct users to specify the LDAP mechanism in the logon string. See the appropriate TTU client guide for how to configure a default mechanism for your client.
  9. Use the logon format for LDAP authentication. See Logging on Using LDAP Authentication and Authorization.