Working with tdgssauth | Teradata Vantage - Working with tdgssauth - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢
The tdgssauth standalone tool is used to test TDGSS security mechanism configurations on Teradata Vantage nodes and Unity servers. tdgssauth is used to test and correct authentication, authorization, and policy failures offline:
  • tdgssauth is used offline to minimize the number of server TPA resets when bringing external authentication deployments and configuration fixes live.
  • tdgssauth tests the following mechanisms: TD2, LDAP, Kerberos, and TDNEGO.

This tool makes use of TDGSS itself to establish a pair of security contexts based on the user's input options. One context is established to simulate the client side of a secured connection. The other context simulates the server side of a secured connection.

Once the contexts are established, the server's context is probed to determine the outcome of the authentication attempt. The user's authentication properties are acquired and displayed in human readable form. The user's name is then used to probe security policy and the results of the probe are also displayed in human readable form.

The tool can also exercise confidentiality and integrity services offered by TDGSS. Exercising these services is controlled from security policy and from command line options.

This tool can perform all tdsbind functions except using command line options to adjust LDAP configuration properties. It differs from tdsbind in that it uses TDGSS to perform an actual token exchange that leads to the establishment of real security contexts while tdsbind merely emulates how the database will use a directory service when presented with particular user names and passwords. tdgssauth is also is capable of invoking the policy API based on the outcome of context establishment while tdsbind is not.

tdgssauth is not included with Unity servers.

You can use tdgssauth to: