Explanation of Sign-on As Examples - Advanced SQL Engine

Explanation of Sign-on As Examples - Advanced SQL Engine - Teradata Database

Security Administration

Product

Advanced SQL Engine

Teradata Database

Release Number

17.05

17.00

Published

September 2020

Language

English (United States)

Last Update

2021-01-23

dita:mapPath

ied1556235912841.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1100

lifecycle

Product Category

Teradata Vantage™

Syntax Element	Description
mech_name	Specifies the authentication mechanism. For Teradata authorization: KRB5 SPNEGO LDAP For directory authorization: KRB5 SPNEGO
user_credentials	Specifies the username and password for the logon, and must conform to the following rules: For Teradata authorization, the username is a network or directory username for which there is a matching database user. For directory authorization, the username is a network username for which there is a matching directory user. The password is always a network password. Valid formats for user credentials: In the .logdata statement for KRB5 and SPNEGO: diruser @@dirpassword Sign-On As using Kerberos authentication (SPNEGO mechanism) is usable only from Windows clients. In the .logdata statement for LDAP: authcid= diruser password= dirpassword diruser @@dirpassword diruser password= dirpassword In a .logon statement for KRB 5 and SPNEGO: domain_username,domain_password In a .logon statement for LDAP: dir_username,dirpassword Ensuring Correct Interpretation of UPNs For the logon diruser,dirpassword, the user specification can be “a@b” or a/b” or “a\b”. Set LdapCredentialIsUPN to interpret the user specification. See LdapCredentialIsUPN. If the LdapCredentialIsUPN property is absent or set to yes (the default), the system treats the user specification as a UPN, which must conform to the rules of IETF 1964. When LdapCredentialIsUPN is set to yes, the UPN must appear in the logon as: “a\@b” or “a\/b” or “a\\b”, where the added backslash (\) character informs the system how to handle the following character. If the CredentialIsUPN property is set to no, the system disregards the special characters and considers the user specification to be an Authcid.
authorization_qualifier	Required if the user is authorized by the directory (AuthorizationSupported=yes) and one or more of the following is true: The directory user is mapped to multiple user or profile objects LDAP is set to use SASL/DIGEST-MD5 binding (the default), the directory offers more than one realm, and the value of the LdapServerRealm property is to ''" (the default). The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5. Directory user mapped to multiple database users: If the directory user is mapped to more than one database user, specify the user with the database privileges needed for the session in the form: user= database_username The database username can be either an individual database user or EXTUSER. Directory user mapped to multiple profiles: If a directory user is mapped to more than one profile, specify profile=profile_name in the .logdata statement to identify the session profile. If the directory user is mapped to one or more database users and also to a profile, the session defers to the separately mapped profile instead of the profile belonging to the mapped database user.
authorization_qualifier	Directory offers multiple realms (LDAP authentication only): Specify the realm as it appears in the directory, normally the fully qualified DNS name of the directory, for example: realm=directory_FQDNSName The system processes realm information as follows: If the logon does not specify a realm, and the LdapServerRealm property value does not yield a valid realm, the logon fails. If the directory does not offer a realm contained in the .logdata statement, the logon fails. If the .logdata statement specifies a realm when it is needed, the logon succeeds if it is a valid realm specification.
tdpid	Required. The tdpid identifies the Teradata Vantage system, Unity server, or host group to which the logon, if successful, connects.
, ,	If the logon specifies an account, and the directory username and directory password appear in the .logdata statement, the , , must precede the account specification, with these exceptions: If the user credentials appear in the .logon statement, only a single comma is required. If the .logon does not specify an account, no commas are required.
"account"	Optional. The account string specification must be enclosed in double quotation marks. For information on accounts, see Teradata Vantage™ - Database Administration, B035-1093.