Editing TdgssUserConfigFile.xml for Service Binds - Advanced SQL Engine - Teradata Database

Security Administration
Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™

You must edit the TdgssUserConfigFile.xml to enable service binds.

The following procedure includes steps that generates an encrypted version of the service password for use in configuring the TdgssUserConfigFile.xml, which avoids storing the value of LdapServicePassword property in plain text.
  1. Modify the TdgssUserConfigFile.xml and set the LdapServiceFQDN property with the bind account DN.
  2. Update TDGSSCONFIG.GDO. Run:
    run_tdgssconfig
  3. Generate a protected password using the tdspasswd command:
    1. At the Teradata command prompt, enter:
      $ tdspasswd -m  mechanism

      where mechanism is the authentication mechanism for which you are editing the TdgssUserConfigFile.xml; for example, ldap.

    2. The system prompts you to enter the new password.
      Enter New password:
Confirm New password:
      The system does not display the password when you enter it.
    3. After the system confirms the new password, it generates and displays an encrypted version of the password, for example: 
      $ tdspasswd -m ldap
Enter New password:
Confirm New password:
AV8Jeq2cvjmAjiHgcSrAUoE=
$
      Only the mechanism you specify in the -m option can use the encrypted password, and only for service binds.
    If the LdapServiceFQDN bind account DN is changed, the above steps must be run again, even if the bind account plain text password remains the same.
  4. Edit the mechanism to specify a service user and password for the service bind:
    <Mechanism Name="ldap">
   <MechanismProperties
        ...
     LdapServiceBindRequired="yes"
     LdapServiceFQDN="cn=service_id,ou=services,dc=domain,dc=com"
     LdapServicePassword="encrypted_password"
     LdapServicePasswordProtected="yes"
        ...
        />
</Mechanism>
    The LdapServicePasswordProtected property is only an indicator of password protection status, and does not enable the protection.

    where:

    Property Value Description
    service_id The CN of the service user object in the directory.
    encrypted_password The encrypted password generated in step 1c (sub-step c of step 1.).
  5. Run the run_tdgssconfig utility to send the changes to the TDGSSCONFIG GDO:
    run_tdgssconfig
  6. Run tpareset from the Teradata Vantage node with the lowest ID number, to activate the changes to the TDGSS configuration.
    tpareset “use updated TDGSSCONFIG GDO”
  7. Repeat this procedure on the Teradata Unity server, if used. For information about Unity, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520.
Service binds configured for LDAP apply it to all external authentication mechanisms.