17.10 - Option 4: Lightweight LDAP Authorizations - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

Lightweight LDAP Authorizations allow you to use your existing directory service to authorize Teradata Vantage users without modifying your directory to include structures or entries from Teradata schema extensions. Lightweight LDAP Authorizations maps Vantage external roles to existing directory groups.

Advantages

  • Works with LDAPv3 compliant directory servers (LDAP and KRB5).
  • No Teradata Vantage infrastructure or objects need to be added to the customer directory server.
  • Because Teradata-specific entries are not required in the directory, you can use directory management tools, such as Microsoft Management Console snap-ins to manage your directory.
  • There is no impact to your current LDAP configuration. If you previously configured Teradata-specific objects in your directory you can continue to use that model and this new capability will not affect you.

    You cannot use both lightweight LDAP authorizations and Teradata-specific directory objects. To switch to lightweight authorizations simply modify the TdgssUserConfigFile.xml. You can leave your Teradata-specific objects in the directory. You can optionally remove the Teradata-specific entries from your directory after you are sure lightweight authorizations meets the needs of your site.

Installs, Upgrades, and Backdown

Lightweight LDAP authorizations must be manually enabled on installs and upgrades. To enable lightweight authorizations, include one or more AuthSearch elements. For more information, see Setting Up Lightweight LDAP Authorizations.

To back down from Release 16.0 or higher to any pre-16.0 release, remove all software and perform a fresh install followed by a system initialization (sysinit).

To backdown:

  1. Make a backup of the TdgssUserConfigFile.xml file.
  2. Edit TdgssUserConfigFile.xml to remove any edits that are not compatible with the target version.
  3. Run tdgsstestcfg to verify the new configuration is correct.

    For information about the tdgsstestcfg command, see Working with tdgsstestcfg.

  4. Run the run_tdgssconfig utility: /opt/teradata/tdgss/bin/run_tdgssconfig
  5. If run_tdgssconfig indicates that a TPA reset is needed, run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”

Lightweight LDAP Authorization Modes and Compatibility

  • If you do not want to use lightweight LDAP authorizations do not add <AuthSearch> to TdgssUserConfigFile.xml.
  • If you no longer want to use lightweight LDAP authorizations remove <AuthSearch> from TdgssUserConfigFile.xml.
  • Pre-16.0 clients may connect to Teradata Database 16.0 or higher and Teradata Vantage using lightweight LDAP authorizations; any client that is compatible with the currently installed release of Teradata Vantage may use lightweight LDAP authorizations.
  • If the user is a member of multiple directory groups, all the groups are included in the search and the names of the groups identify the external roles the user can occupy.
  • If a user is not a member of any directory group, then no role is returned. The user is allowed to log on, but the user is not allowed to occupy external roles. This is equivalent to authentication-only logons.
  • If the user authentication fails, the logon fails.

Search Performance

The lightweight LDAP authorizations feature searches your LDAP directory for groups and maps them to Vantage external roles. For the most efficient searches Teradata recommends limiting the scope of the directory search; for example, by adjusting the search base and scope (onelevel vs. subtree). This is similar to how you optimize the scope of searches for users as discussed in Optimizing Directory Searches.