TDGSS LdapServicePasswordFile Property | Teradata Vantage - 17.10 - LdapServicePasswordFile - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The value of LdapServicePasswordFile names a file containing a list of encrypted passwords. Using a password file allows you to change the LDAP service password without requiring a restart of the database SQL Engine system. By storing multiple passwords, the file enables LDAP logons during the period of transition between old and new passwords.

The LdapServicePasswordFile property can be added to either of these locations:
  • Service element in the LdapConfig section of the TDGSS user configuration file
  • MechanismProperties element under Mechanism Name="mechanism" for the LDAP and KRB5 mechanisms on the server side (SQL Engine or Unity) of TDGSS

Valid Settings

Setting Description
"" No LDAP service password file is specified. This feature is disabled.
A file name The fully qualified path and file name of the LDAP service password file.

Editing Guidelines

  • To set a value, you must manually add this property to the TDGSS configuration file on needed mechanisms. See About Editing Configuration Files.
  • Edit this property on the database and on Unity, if used. Also see Coordinating Mechanism Property Values for Unity.
  • If you use the LdapServicePasswordFile property, the LdapServicePassword and LdapServicePasswordProtected properties are ignored, and passwords are read exclusively from the password file.

LDAP Service Password File

Use the LDAP service password file to enable changing the LDAP service password without the need for a database system restart. The file contains a list of encrypted passwords, one per line. When you want to change the password, add the new password to the top of the list in the file, leaving, at a minimum, the previous password listed on the second line.

After you have updated the password file on all nodes, you can change the actual service password in the directory server.

If an attempted LDAP logon fails, Vantage reads the passwords in the password file, trying each successively. This technique of preserving the old password in the file, and trying all passwords allows for slight delays in updating the LDAP password file for every system node.

Encrypting the Passwords

Passwords listed in the LDAP service password file must be encrypted using the tdspasswd command-line utility:
  1. At the Vantage system console command prompt, enter:
    $ tdspasswd -m  mechanism

    where mechanism is the authentication mechanism, ldap or krb5.

  2. The system prompts you to enter the new password.
    Enter New password:
    Confirm New password:
    The system does not display the password when you enter it.
  3. After the system confirms the new password, it generates and displays an encrypted version of the password, for example:
    $ tdspasswd -m ldap
    Enter New password:
    Confirm New password:
    AV8Jeq2cvjmAjiHgcSrAUoE=
    $
  4. Copy the encrypted new password to the first line of the LDAP service password file.

Usage Notes for the LDAP Service Password File

  • If your site locks accounts after a number of failed logon attempts, the LDAP service account could become unusable due to what the directory would see as consecutive logon failures from nodes that try the old password, before they have receivied and processed the updated password file. If you cannot raise the limit on failed logon attempts for the service account (LdapServiceFQDN), one or more manual unlocks of the account may be required during the password change process.

    If possible, disable any account lockout requirements on the service account before you reset the password. Then reset the password and direct LDAP logons to every node. This causes the new password to be picked up and used by every node. After that, re-establish the lockout requirements on the service account.

  • Use a tool like pcl (a PDE tool) to propagate changes to the LDAP service password file to all nodes.