17.10 - Configuring TDGSS - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

After verifying that the SRV RR service name for the GC can find the GC servers for a site, configure the LdapServerName property with the SRV RR service name for the site, for example:

<Mechanism Name="ldap">

    <MechanismProperties
        MechanismEnabled="yes"
        AuthorizationSupported="no"
        ...
        LdapClientMechanism="simple"
        LdapServerName="_ldap._tcp.SanDiegoHQ._sites.rootdomain.com"
        LdapServerPort="0"
        ...
        />

    </Mechanism>
You can configure other properties for the LDAP mechanism, if needed. For instructions, see Changing the TDGSS Configuration.
Configuration Option Description
<Mechanism Name="ldap"> Site awareness requires directory authentication of the user, using the LDAP mechanism.
MechanismEnabled="yes" The LDAP mechanism must be enabled.
AuthorizationSupported="no" Site awareness functions whether or not the directory authorizes the user.
LdapClientMechanism="simple" The example is for a system using simple binding.

Site awareness also supports DIGEST-MD5 binding.

The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.
LdapServerName="_ldap._tcp.SanDiegoHQ._sites.rootdomain.com" This setting requires a DNS SRV RR formatted site name, which identifies the local GC directories available to authenticate the user.

When you configure the LdapServerName property for GC site awareness, LDAP selects a directory at random from among the available GC directories for the site.