Kerberos and LDAP Authentication Requirements | Teradata Vantage - 17.20 - Kerberos or LDAP Authentication with Directory Authorization - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
  • The directory should be LDAPv3-compliant. See Certified Directories.
  • The client from which the user logs on must be Windows, Linux, or UNIX (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Verify that the MechanismEnabled property is set to yes for the authentication mechanism (KRB5, SPNEGO, or LDAP) on the database, and on all clients that use the mechanism.
  • Set the mechanism as the client default, or the user must select it at logon.
  • The user must have LOGON ... WITH NULL PASSWORD privileges.
  • The username must follow these requirements:
    • For Kerberos authentication the authorized username must match a Teradata Vantage user having WITH NULL PASSWORD privileges, but the username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Vantage name must match and be granted WITH NULL PASSWORD. See Logon Privileges.
    • For LDAP authentication, the directory user must be mapped to a database user having WITH NULL PASSWORD privileges.

      For username requirements, see the topics about logging on with the Kerberos and LDAP authentication in Logging on to Teradata Vantage.

  • Configure the authentication mechanism for directory authorization in the TdgssUserConfigFile.xml on all required databases. See Changing the TDGSS Configuration.
  • Configure the directory to map directory users to Teradata Vantage directory objects to define authorization criteria.