17.10 - Editing TdgssUserConfigFile.xml for Service Binds - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

You must edit the TdgssUserConfigFile.xml to enable service binds.

The following procedure includes steps that generates an encrypted version of the service password for use in configuring the TdgssUserConfigFile.xml, which avoids storing the value of LdapServicePassword property in plain text.
  1. Modify the TdgssUserConfigFile.xml and set the LdapServiceFQDN property with the bind account DN.
  2. Update TDGSSCONFIG.GDO. Run:
    run_tdgssconfig
  3. Generate a protected password using the tdspasswd command:
    1. At the Teradata command prompt, enter:
      $ tdspasswd -m mechanism

      where mechanism is the authentication mechanism for which you are editing the TdgssUserConfigFile.xml; for example, ldap.

    2. The system prompts you to enter the new password.
      Enter New password:
      Confirm New password:
      The system does not display the password when you enter it.
    3. After the system confirms the new password, it generates and displays an encrypted version of the password, for example:
      $ tdspasswd -m ldap
      Enter New password:
      Confirm New password:
      AV8Jeq2cvjmAjiHgcSrAUoE=
      $
      Only the mechanism you specify in the -m option can use the encrypted password, and only for service binds.
    If the LdapServiceFQDN bind account DN is changed, the above steps must be run again, even if the bind account plain text password remains the same.
  4. Edit the mechanism to specify a service user and password for the service bind:
    <Mechanism Name="ldap">
       <MechanismProperties
            ...
         LdapServiceBindRequired="yes"
         LdapServiceFQDN="cn=service_id,ou=services,dc=domain,dc=com"
         LdapServicePassword="encrypted_password"
         LdapServicePasswordProtected="yes"
            ...
            />
    </Mechanism>
    The LdapServicePasswordProtected property is only an indicator of password protection status, and does not enable the protection.
    service_id
    The CN of the service user object in the directory.
    encrypted_password
    The encrypted password generated in step 1c (sub-step c of step 1.).
  5. Verify the configuration is correct:
    1. Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Run a utility, such as tdgssauth, to test the new configuration before you commit the changes to the TDGSSCONFIG GDO.

      See Working with tdgssauth.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  6. Run the run_tdgssconfig utility to send the changes to the TDGSSCONFIG GDO:
    run_tdgssconfig
  7. If run_tdgssconfig indicates that a TPA reset is required, then run tpareset from the Teradata Vantage node with the lowest ID number, to activate the changes to the TDGSS configuration.
    tpareset “use updated TDGSSCONFIG GDO”
  8. Repeat this procedure on the Teradata Unity server, if used. For information about Unity, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520.
Service binds configured for LDAP apply it to all external authentication mechanisms.