Once the external agent has authenticated the user, it passes the username to the directory for authorization of user access privileges, based on mappings to the matching directory user.
- Enable external authentication in the database. See External Authentication Controls.
- At logon, the user must specify the authenticating mechanism from the following:
- SPNEGO (not available for ODBC-based applications)Sign-On As using Kerberos authentication (KRB5 or SPNEGO mechanism) is usable only from Windows clients.
For a description of logons where LDAP does both authentication and authorization, see Logging on Using LDAP Authentication and Authorization.
- Configure the authentication mechanism:
- Set the AuthorizationSupported property for the authenticating mechanism to yes. The KRB5 and SPNEGO mechanisms set AuthorizationSupported to no by default.
- The mechanism must contain the LDAP properties and values shown in Option 3: Non-LDAP External Authentication with Directory Authorization.
- Ensure that the logon username matches a username in the authorizing directory, and the matching directory user must be mapped to one or more Teradata Vantage objects, as shown in Provisioning Directory Users with Teradata Schema Extensions or Using Native Directory Schema to Provision Directory Users.