You must edit the TdgssUserConfigFile.xml to enable service binds.
The following procedure includes steps that generate an encrypted version of the service password for use in configuring the TdgssUserConfigFile.xml, which avoids storing the value of LdapServicePassword property in plain text.
- Modify the TdgssUserConfigFile.xml and set the LdapServiceFQDN property with the bind account DN.
- Update TDGSSCONFIG.GDO. Run:
run_tdgssconfig
- Generate a protected password using the tdspasswd command:If the LdapServiceFQDN bind account DN is changed, the following steps must be run again, even if the bind account plain text password remains the same.
- At the Teradata command prompt, enter:
$ tdspasswd -m mechanism
where mechanism is the authentication mechanism for which you are editing the TdgssUserConfigFile.xml; for example, ldap.
- The system prompts you to enter the new password.The system does not display the password when you enter it.
- After the system confirms the new password, it generates and displays an encrypted version of the password, for example:
$ tdspasswd -m ldap Enter New password: Confirm New password: AV8Jeq2cvjmAjiHgcSrAUoE= $
Only the mechanism you specify in the -m option can use the encrypted password, and only for service binds.
- At the Teradata command prompt, enter:
- Edit the mechanism to specify a service user and password for the service bind:
<Mechanism Name="ldap"> <MechanismProperties ... LdapServiceBindRequired="yes" LdapServiceFQDN="cn=service_id,ou=services,dc=domain,dc=com" LdapServicePassword="encrypted_password" LdapServicePasswordProtected="yes" ... /> </Mechanism>
The LdapServicePasswordProtected property is only an indicator of password protection status, and does not enable the protection.- service_id
- The CN of the service user object in the directory.
- encrypted_password
- The encrypted password generated earlier in this procedure.
- Verify the configuration is correct:
- Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
/opt/teradata/tdgss/bin/tdgsstestcfg
- Run a utility, such as tdgssauth, to test the new configuration before you commit the changes to the TDGSSCONFIG GDO.
- Exit the test shell:
exit
- Continue editing and testing until the configuration is correct.
- Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
- Run the run_tdgssconfig utility to send the changes to the TDGSSCONFIG GDO:
run_tdgssconfig
- If run_tdgssconfig indicates that a TPA reset is required, then run tpareset from the Teradata Vantage node with the lowest ID number, to activate the changes to the TDGSS configuration.
tpareset “use updated TDGSSCONFIG GDO”
Service binds configured for LDAP apply it to all external authentication mechanisms.