Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml - Analytics Database

Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml - Analytics Database - Teradata Vantage

Security Administration

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

ft:locale

en-US

ft:lastEdition

2024-04-05

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

lifecycle

latest

Product Category

Teradata Vantage™

The <LdapConfig> section must contain at least:

One <Service>
One canonicalization, that is, one <Identity Map> or <Identity Search> element

Create the <LdapConfig> section by adding the following elements to the TdgssUserConfigFile.xml. The <LdapConfig> section must be located directly following the <Mechanisms> section and on the same level as the <Mechanisms> section.
For example:
```
<LdapConfig>
  <Services>
    <Service
    ...
    </Service>
    <Service
    ...
    <Service
    ...
    </Service>	
  </Services>
  <Canonicalizations>
  ...
  </Canonicalizations>
</LdapConfig>
```
Add the optional <Tls> protection section as the first element of the configuration. This section is the global default for all configured services. For example:
```
<LdapConfig>
  !-- The default TLS configuration goes here. -->
  <Tls
    LdapClientTlsCACertDir="/etc/ssl/certs"
    LdapClientTlsReqCert="allow"
    LdapClientTlsCACert="/etc/ssl/certs.pem"
    LdapClientTlsCert="/etc/ssl/certs/client.pem"
    LdapClientTlsKey="/etc/ssl/certs/key.pem"
    LdapClientTlsRandFile="/dev/rndom"
    LdapClientTlsCipherSuite="!LOW"/>
```
If the TLS requirements vary among directory services, you can configure TLS separately for each <Service>, as shown in a following step. Also see Using TLS with a Directory Server. The settings for a service override the global settings.
Use the tdspasswd tool to generate an encrypted password for the private key file.
```
# tdspasswd -s svc.div1root
Enter New password:
Confirm New password:
ASfb+l7norNgJHZZBufEmRS=
```
where svc.div1root is the value specified for the Id property in the <Service> configuration.

When prompted by the tool, enter a password. The tool generates an encrypted version of the password, for example: ASfb+l7norNgJHZZBufEmRS=

Configure a <Service> element for each directory service. For example:

<Service
      Id="svc.div1root"
      LdapServerName="ldap://div1root/ ldap://tdgss/ ldap://wave/"
      LdapBaseFQDN="dc=div1rootdom,dc=div1dev,dc=corp"
      LdapSystemFQDN="cn=end2end,cn=tdat,dc=div1rootdom,
dc=div1dev,dc=corp"
      LdapServicePassword="password"
      LdapClientUseTls="no"
      LdapClientMechanism="simple">
    <!-- Overrides to the default TLS configuration go here. -->
      LdapClientTlsReqCert="demand"
      LdapClientTlsCert="/home/mycert"/>
    </Service>
    <Service
    ...
    </Service>	
</Services>

Property	Description
Id="svc.div1root"	Uniquely names a directory service
LdapServerName= ... LdapClientMechanism=	The list of LDAP properties that are required for the service, according to site needs. You only need to include properties with non-default values.
LdapServicePassword="password"	Set this property to the encrypted password created in step 3.
LdapClientTlsReqCert="demand" LdapClientTlsCert="/home/mycert"/>	[Optional] TLS sub-section that contains values to override the defaults in the main TLS section, for this service only.