Kerberos and LDAP Authentication Requirements | Teradata Vantage - Kerberos or LDAP Authentication with Directory Authorization - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™
  • The directory should be LDAPv3-compliant. See Certified Directories.
  • The client from which the user logs on must be Windows, Linux, or UNIX (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Verify that the MechanismEnabled property is set to yes for the authentication mechanism (KRB5, SPNEGO, or LDAP) on the database, in Business Continuity Manager, if used, and on all clients that use the mechanism.
  • Set the mechanism as the client default, or the user must select it at logon.
  • The user must have LOGON ... WITH NULL PASSWORD privileges.
  • The username must follow these requirements:
    • For Kerberos authentication the authorized username must match a Teradata Vantage user having WITH NULL PASSWORD privileges, but the username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Vantage name must match and be granted WITH NULL PASSWORD. See Logon Privileges.
    • For LDAP authentication, the directory user must be mapped to a database user having WITH NULL PASSWORD privileges.

      For username requirements, see the topics about logging on with the Kerberos and LDAP authentication in Logging on to Teradata Vantage.

  • Configure the authentication mechanism for directory authorization in the TdgssUserConfigFile.xml on all required databases, and in TdgssBcmConfig.xml on the Business Continuity Manager server, if used. See Changing the TDGSS Configuration.
  • Configure the directory to map directory users to Teradata Vantage directory objects to define authorization criteria.