- The directory should be LDAPv3-compliant. See Certified Directories.
- The client from which the user logs on must be Windows, Linux, or UNIX (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
- Verify that the MechanismEnabled property is set to yes for the authentication mechanism (KRB5, SPNEGO, or LDAP) on the database, in Business Continuity Manager, if used, and on all clients that use the mechanism.
- Set the mechanism as the client default, or the user must select it at logon.
- The user must have LOGON ... WITH NULL PASSWORD privileges.
- The username must follow these requirements:
- For Kerberos authentication the authorized username must match a Teradata Vantage user having WITH NULL PASSWORD privileges, but the username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Vantage name must match and be granted WITH NULL PASSWORD. See Logon Privileges.
- For LDAP authentication, the directory user must be mapped to a database user having WITH NULL PASSWORD privileges.
For username requirements, see the topics about logging on with the Kerberos and LDAP authentication in Logging on to Teradata Vantage.
- Configure the authentication mechanism for directory authorization in the TdgssUserConfigFile.xml on all required databases, and in TdgssBcmConfig.xml on the Business Continuity Manager server, if used. See Changing the TDGSS Configuration.
- Configure the directory to map directory users to Teradata Vantage directory objects to define authorization criteria.