Testing Directory-Based IP Restrictions | Teradata Vantage - Testing Directory-Based IP Restrictions - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢
If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdsbind to check whether the GDO applies the expected IP restrictions to a mapped directory user.
  1. From the /bin file, run the tdsbind utility to determine if the restrictions contained in the GDO affect users as expected. Test several user names against IP addresses from which each user should, and should not, be restricted from logging on to the database.
    $ tdsbind -U  username  -I  IP_address

    where:

    The Tdsbind Option... Specifies...
    -U username a Teradata Vantage username that tdsbind tests in combination with the specified IP address to determine if any IP restrictions apply.
    -I IP_address an IP address from which the username can log on, for example, 141.206.35.87.

    The tdsbind utility returns output similar to:

    LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
      LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
        LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
        LdapServerName: esroot
        LdapServerPort: 389
      LdapServerRealm: esrootdom
    Logon by user <username> from IP <141.206.35.87> is [not allowed] [allowed]
    $
    The output includes the LDAP property values tdsbind used to test the IP restrictions on the user, in this case, the properties that describe directory characteristics necessary to find the IP restrictions.

    If you use -u dir_user (diperm01) instead of -U td_user, the test performs a bind of the user and returns the following additional output, which includes the identity of the mapped permanent user (perm01) from which the directory user inherits IP restrictions:

    FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com
               GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858
     Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA
           Profiles: profperm01
              Roles: extrole01perm01, extrole02perm01, extrole03perm01
              Users: perm01
  2. Based on the test results:
    If the restrictions do not function as needed, you can do one or both of the following:

    When the restrictions pass the test without problems, the IP restrictions are complete.