Editing TdgssUserConfigFile.xml for Service Binds - Analytics Database

Editing TdgssUserConfigFile.xml for Service Binds - Analytics Database - Teradata Vantage

Security Administration

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

Language

English (United States)

Last Update

2024-04-05

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

lifecycle

latest

Product Category

Teradata Vantage™

You must edit the TdgssUserConfigFile.xml to enable service binds.

The following procedure includes steps that generate an encrypted version of the service password for use in configuring the TdgssUserConfigFile.xml, which avoids storing the value of LdapServicePassword property in plain text.

Modify the TdgssUserConfigFile.xml and set the LdapServiceFQDN property with the bind account DN.
Update TDGSSCONFIG.GDO. Run:
```
run_tdgssconfig
```
Generate a protected password using the tdspasswd command:
If the LdapServiceFQDN bind account DN is changed, the following steps must be run again, even if the bind account plain text password remains the same.
1. At the Teradata command prompt, enter:
```
$ tdspasswd -m mechanism
```
  where mechanism is the authentication mechanism for which you are editing the TdgssUserConfigFile.xml; for example, ldap.
2. The system prompts you to enter the new password.
  The system does not display the password when you enter it.
3. After the system confirms the new password, it generates and displays an encrypted version of the password, for example:
```
$ tdspasswd -m ldap
Enter New password:
Confirm New password:
AV8Jeq2cvjmAjiHgcSrAUoE=
$
```
  Only the mechanism you specify in the -m option can use the encrypted password, and only for service binds.
Edit the mechanism to specify a service user and password for the service bind:
```
<Mechanism Name="ldap">
   <MechanismProperties
        ...
     LdapServiceBindRequired="yes"
     LdapServiceFQDN="cn=service_id,ou=services,dc=domain,dc=com"
     LdapServicePassword="encrypted_password"
     LdapServicePasswordProtected="yes"
        ...
        />
</Mechanism>
```
The LdapServicePasswordProtected property is only an indicator of password protection status, and does not enable the protection.

service_id

The CN of the service user object in the directory.

encrypted_password

The encrypted password generated earlier in this procedure.
Verify the configuration is correct:
1. Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
```
/opt/teradata/tdgss/bin/tdgsstestcfg
```
2. Run a utility, such as tdgssauth, to test the new configuration before you commit the changes to the TDGSSCONFIG GDO.
  See Working with tdgssauth.
3. Exit the test shell:
```
exit
```
4. Continue editing and testing until the configuration is correct.
Run the run_tdgssconfig utility to send the changes to the TDGSSCONFIG GDO:
```
run_tdgssconfig
```
If run_tdgssconfig indicates that a TPA reset is required, then run tpareset from the Teradata Vantage node with the lowest ID number, to activate the changes to the TDGSS configuration.
```
tpareset “use updated TDGSSCONFIG GDO”
```

Service binds configured for LDAP apply it to all external authentication mechanisms.