Setting Up Lightweight LDAP Authorizations - Analytics Database

Setting Up Lightweight LDAP Authorizations - Analytics Database - Teradata Vantage

Security Administration

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

Language

English (United States)

Last Update

2024-04-05

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

lifecycle

latest

Product Category

Teradata Vantage™

Prerequisites

LDAPv3 compliant directory server, either LDAP or KRB5. See Certified Directories.
External roles defined in Teradata Vantage. See Creating and Dropping External Roles.
The user does not need to belong to the roles in the database. However, the directory user needs to belong to a group that maps to a role. That gives the user the permission to occupy the role using SET ROLE <extrolename>.
Group entries in the directory which correspond to the external roles.

Setting Up the Teradata Vantage Server to use Lightweight Authorizations

On the Vantage node with the lowest ID number, navigate to the directory where TdgssUserConfigFile.xml is located:
```
cd /opt/teradata/tdat/tdgss/site
```
Make a backup copy of TdgssUserConfigFile.xml.

Edit TdgssUserConfigFile.xml to allow TDGSS to search the directory for group-like entries:

Set AuthorizationSupported to yes.
Set AuthenticationSupported to yes.

Add an <AuthSearch> section.

The <AuthSearch> section goes in the <Canonicalizations> area of the <LdapConfig> section or as a child of the <MechanismProperties> element. In both cases, <AuthSearch> is a sibling of <IdentitySearch> and <IdentityMap> elements.

For example:

<Mechanism Name="ldap">    
   <MechanismProperties       
        AuthenticationSupported="yes"       
        AuthorizationSupported="yes"       
        … />
   <AuthSearch    
        Ref="service-id"    
        Base="search-base"    
        Scope="{onelevel|subtree}"    
        MemberAttribute="member-attribute-name"    
        ObjectClass="object-class-name"    
        NamingAttribute="naming-attribute-name"      
        <AuthSearchMap Match="regex" Pattern="pattern"/>
    />
</Mechanism>

See <AuthSearch> for details about each element.

Verify the configuration is correct:
1. Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
```
/opt/teradata/tdgss/bin/tdgsstestcfg
```
2. Run the tdgssauth utility to test the new configuration before you commit the changes to the TDGSSCONFIG GDO.
  See Working with tdgssauth.
3. Exit the test shell:
```
exit
```
4. Continue editing and testing until the configuration is correct.
Update TDGSSCONFIG.GDO. Run:
```
/opt/teradata/tdgss/bin/run_tdgssconfig
```