17.10 - Setting Up Lightweight LDAP Authorizations - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

Prerequisites

  • LDAPv3 compliant directory server, either LDAP or KRB5. See About Certified Directories.
  • External roles defined in Teradata Vantage. See Creating and Dropping External Roles.
    The user does not need to belong to the roles in the database. However, the directory user needs to belong to a group that maps to a role. That gives the user the permission to occupy the role via SET ROLE <extrolename>.
  • Group entries in the directory which correspond to the external roles.

Setting Up the Teradata Vantage Server to use Lightweight Authorizations

  1. On the Vantage node with the lowest ID number, navigate to the directory where TdgssUserConfigFile.xml is located:
    cd /opt/teradata/tdat/tdgss/site
  2. Make a backup copy of TdgssUserConfigFile.xml.
  3. Edit TdgssUserConfigFile.xml to allow TDGSS to search the directory for group-like entries:
    1. Set AuthorizationSupported to yes.
    2. Set AuthenticationSupported to yes.
    3. Add an <AuthSearch> section.

      The <AuthSearch> section goes in the <Canonicalizations> area of the <LdapConfig> section or as a child of the <MechanismProperties> element. In both cases, <AuthSearch> is a sibling of <IdentitySearch> and <IdentityMap> elements.

      For example:

      Mechanism Name="ldap">    
         <MechanismProperties       
              AuthenticationSupported="yes"       
              AuthorizationSupported="yes"       
              LdapBaseFQDN="dc=example,dc=com"        
              … />
         <AuthSearch    
              Ref="service-id"    
              Base="search-base"    
              Scope="{onelevel|subtree}"    
              MemberAttribute="member-attribute-name"    
              ObjectClass="object-class-name"    
              NamingAttribute="naming-attribute-name"      
              <AuthSearchMap Match="regex" Pattern="pattern"/>
          />
      </Mechanism>

      See <AuthSearch> for details about each element.

  4. Verify the configuration is correct:
    1. Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Run the tdgssauth utility to test the new configuration before you commit the changes to the TDGSSCONFIG GDO.

      See Working with tdgssauth.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  5. Update TDGSSCONFIG.GDO. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig