17.20 - Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
The <LdapConfig> section must contain at least:
  • One <Service>
  • One canonicalization, that is, one <Identity Map> or <Identity Search> element
  1. Create the <LdapConfig> section by adding the following elements to the TdgssUserConfigFile.xml. The <LdapConfig> section must be located directly following the <Mechanisms> section and on the same level as the <Mechanisms> section.

    For example:

    <LdapConfig>
      <Services>
        <Service
        ...
        </Service>
        <Service
        ...
        <Service
        ...
        </Service>	
      </Services>
      <Canonicalizations>
      ...
      </Canonicalizations>
    </LdapConfig>
  2. Add the optional <Tls> protection section as the first element of the configuration. This section is the global default for all configured services. For example:
    <LdapConfig>
      !-- The default TLS configuration goes here. -->
      <Tls
        LdapClientTlsCACertDir="/etc/ssl/certs"
        LdapClientTlsReqCert="allow"
        LdapClientTlsCACert="/etc/ssl/certs.pem"
        LdapClientTlsCert="/etc/ssl/certs/client.pem"
        LdapClientTlsKey="/etc/ssl/certs/key.pem"
        LdapClientTlsRandFile="/dev/rndom"
        LdapClientTlsCipherSuite="!LOW"/>
    If the TLS requirements vary among directory services, you can configure TLS separately for each <Service>, as shown in a following step. Also see Using TLS with a Directory Server. The settings for a service override the global settings.
  3. Use the tdspasswd tool to generate an encrypted password for the private key file.
    # tdspasswd -s svc.div1root
    Enter New password:
    Confirm New password:
    ASfb+l7norNgJHZZBufEmRS=

    where svc.div1root is the value specified for the Id property in the <Service> configuration.

    When prompted by the tool, enter a password. The tool generates an encrypted version of the password, for example: ASfb+l7norNgJHZZBufEmRS=

  4. Configure a <Service> element for each directory service. For example:
    <Service
          Id="svc.div1root"
          LdapServerName="ldap://div1root/ ldap://tdgss/ ldap://wave/"
          LdapBaseFQDN="dc=div1rootdom,dc=div1dev,dc=corp"
          
          LdapSystemFQDN="cn=end2end,cn=tdat,dc=div1rootdom,
    dc=div1dev,dc=corp"
          LdapServicePassword="password"
          LdapClientUseTls="no"
          LdapClientMechanism="simple">
        <!-- Overrides to the default TLS configuration go here. -->
          LdapClientTlsReqCert="demand"
          LdapClientTlsCert="/home/mycert"/>
        </Service>
        <Service
        ...
        </Service>	
    </Services>
    Property Description
    Id="svc.div1root"
    Uniquely names a directory service
    LdapServerName= 
    ...
     LdapClientMechanism=
    The list of LDAP properties that are required for the service, according to site needs.
    You only need to include properties with non-default values.
    LdapServicePassword="password" Set this property to the encrypted password created in step 3.
    LdapClientTlsReqCert="demand"
     LdapClientTlsCert="/home/mycert"/>
    [Optional] TLS sub-section that contains values to override the defaults in the main TLS section, for this service only.