Testing Directory-Based IP Restrictions | Teradata Vantage - Testing Directory-Based IP Restrictions - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-12-11
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdgssauth to check whether the GDO applies the expected IP restrictions to a mapped directory user.

$ tdgssauth -m ldap -u diperm01 -i 192.0.2.15
TDGSS_BIN_FILE not set.
TDGSSCONFIG GDO used in tdgss.
Please enter a password: 
                        Status: authenticated, not authorized
                 Database user: perm01 [permanent user]
                       Profile: profile01
                External roles: extrole01perm01, extrole02perm01, extrole03perm01
            Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
        Audit trail identifier: diperm01
        Authenticating service: esroot1
     Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
       Mechanism specific data: diperm01

 Security context capabilities: replay detection
                                out of sequence detection
                                confidentiality
                                integrity
                                protection ready
                                exportable security context

The TDGSS function tdgss_inquire_policy_for_user returned an error:
  Major status 0x000d0000 – Failure
  Minor status 0xe10000ed – The user is not permitted to log on from the IP address.
Based on the results, if the restrictions do not function as needed, you can do one or both of the following:

When the restrictions pass the test without problems, the IP restrictions are complete.