Example: Test of IP Access Restrictions for Directory Users - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™

Suppose the IP GDO defines IP access restrictions as follows:

<?xml version="1.0" encoding="UTF-8"?>
<tdat name="tdat">
  <system name="tnt38">
    <users tag="users">
      <user name="drct01"/>
      <user name="drct02"/>
      <user name="perm01" tag="tagperm01"/>
    </users>
    <ipfilters>
      <ipfilter name="filter1" type="restrictive">
        <allow ip="141.206.36.0/24"/>
        <allow ip="141.206.35.0/24"/>
        <deny ip="141.206.35.88/32"/>
        <appliesto tagref="allusers"/>
      </ipfilter>
    </ipfilters>
  </system>
</tdat>

Use tdsbind to test user restrictions (without binding), based on the XML document entry above, to determine which restrictions apply to user dlj for the IP addresses from which the user normally logs on to the database.

The last line of the output indicates whether the logon is allowed or denied.

$ tdsbind -U djl -I 141.206.35.87
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
 LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.87> is allowed
$ tdsbind -U djl -I 141.206.35.88
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
   LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.88> is not allowed
$ tdsbind -U djl -I 141.206.35.89
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
  LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.89> is allowed
$

You can also use tdsbind to test an LDAP logon for a particular IP address, with binding.

$ tdsbind -u diperm01 -I 141.206.35.88
Enter LDAP password:
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=doman,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=doman,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=doman,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
  LdapServerRealm: esrootdom
           FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com
           GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858
 Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA
       Profiles: profperm01
          Roles: extrole01perm01, extrole02perm01, extrole03perm01
          Users: perm01
Logon by user <perm01> from IP <141.206.35.88> is not allowed
$