Testing Directory-Based IP Restrictions | Teradata Vantage - 17.10 - Testing Directory-Based IP Restrictions - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)

If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdgssauth to check whether the GDO applies the expected IP restrictions to a mapped directory user.

$ tdgssauth -m ldap -u diperm01 -i
TDGSSCONFIG GDO used in tdgss.
Please enter a password: 
                        Status: authenticated, not authorized
                 Database user: perm01 [permanent user]
                       Profile: profile01
                External roles: extrole01perm01, extrole02perm01, extrole03perm01
            Authenticated user: ldap://esroot.example.com:389/CN=diperm01,OU=people,OU=testing,DC=example,DC=com
        Audit trail identifier: diperm01
        Authenticating service: esroot1
     Actual mechanism employed: ldap [OID]
       Mechanism specific data: diperm01

 Security context capabilities: replay detection
                                out of sequence detection
                                protection ready
                                exportable security context

The TDGSS function tdgss_inquire_policy_for_user returned an error:
  Major status 0x000d0000 – Failure
  Minor status 0xe10000ed – The user is not permitted to log on from the IP address.

Based on the results, if the restrictions do not function as needed, you can do one or both of the following:

When the restrictions pass the test without problems, the IP restrictions are complete.