Kerberos and LDAP Authentication Requirements | Teradata Vantage - 17.10 - Kerberos or LDAP Authentication with Directory Authorization - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
  • The directory should be LDAPv3-compliant. See Certified Directories.
  • The client from which the user logs on must be Windows, Linux, or UNIX (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Verify that the MechanismEnabled property is set to yes for the authentication mechanism (KRB5, SPNEGO, or LDAP) on the database, the Unity server (if used), and on all clients that use the mechanism.
  • Set the mechanism as the client default, or the user must select it at logon.
  • The user must have LOGON ... WITH NULL PASSWORD privileges.
  • The username must follow these requirements:
    • For Kerberos authentication the authorized username must match a Teradata Vantage user having WITH NULL PASSWORD privileges, but the username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username andTeradata Vantage name must match and be granted WITH NULL PASSWORD. See Logon Privileges.
    • For LDAP authentication, the directory user must be mapped to a database user having WITH NULL PASSWORD privileges.

      For username requirements, see the topics about logging on with the Kerberos and LDAP authentication in Logging on to Teradata Vantage.

  • Configure the authentication mechanism for directory authorization in the TdgssUserConfigFile.xml on all required databases and and in the TdgssUnityConfig.xml on the Unity server, if used. See Changing the TDGSS Configuration.
  • Configure the directory to map directory users to Teradata Vantage directory objects to define authorization criteria.