16.10 - Using Tdsbind Options - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K
Tdsbind Option Description
-B base_fqdn The FQDN of a directory object containing directory user and group objects.

By default, tdsbind uses the value of the LdapBaseFQDN property.

Although this option continues to function, it is deprecated for future use. See LdapBaseFQDN.
-c Causes the system to initialize TDGSS as if it were a configured client.

This attribute is for future use only, and is not currently valid.

You cannot use this option if you use either the -s or -t option.

-D referral_method Specifies the how referrals are chased.

If this property is omitted, Tdsbind uses the value of the LdapClientDeref property from the TDGSS user configuration file.

Teradata recommends that you do not use referral chasing. See LdapClientDeref.
-d ldap_realm The name of the SASL realm for DIGEST-MD5 binding of the directory user.

This option is meaningful only when both of the following are true:

  • Binding is set to use DIGEST-MD5
  • The directory service offers more than one realm

By default, tdsbind uses the value configured for the LdapServerRealm property in the LDAP mechanism.

This option is deprecated. If you need to specify a non-default value, specify a value for the LdapServerRealm in the -O option.

See LdapServerRealm.

-f file name The name of a file generated using the ipxml2bin utility, which defines a set of IP logon restrictions. For information about XML IP restrictions, see Creating XML-Based IP Restrictions.
-G groupbase_fqdn The FQDN of any object in the directory that is the base of a subtree which contains group objects.

If you do not specify an FQDN for -G, tdsbind uses the value of the LdapGroupBaseFQDN property.

If the LdapGroupBaseFQDN property does not contain an FQDN, the system uses the value for the -B option (not recommended).

See LdapGroupBaseFQDN

-h ldap_host The name of the LDAP directory server.

By default, tdsbind uses the value of the LdapServerName property.

The -h option is deprecated. If you need to specify a value other than the default, use the -O option to specify an LdapServerName.

See LdapServerName for naming options.

-I ip_add Specifies an IP address. Tdsbind tests the IP address against any configured IP restrictions to determine whether any of the restrictions denies the user access to the database from the IP address.
  • If you do not specify -U, tdsbind initiates a bind of the user.
  • If you specify the -U option, tdsbind skips the bind operation and tests the named user and IP address for restrictions.
To test a new IP restriction, before you create or change the system IP configuration, also use the -f option to specify a test file.

For further information on setting up IP restrictions, see Restricting Logons by IP Address.

-O property=value Specifies one or more alternate values for LDAP property settings, and supersedes the values in the TdgssUserConfigFile.xml, with these constraints:
  • For each LDAP property, if a -O specification is not present, the system uses the value found in the TdgssUserConfigFile.xml.
  • You can specify any LDAP mechanism properties.
  • You cannot specify non-LDAP properties, identity map, or identity search.
  • If you specify more than one LDAP property, the specifications must be space separated, and the -O must precede each one, for example:
    tdsbind -O LdapServerName=name  -O LdapGroupBaseFQDN=fqdn
  • If you specify an option more than once in a tdsbind command, for example, if you specify both -S and -O LdapSystemFQDN=fqdn, the command fails.

You can use -O to test new configurations. See Making Changes to the TdgssUserConfigFile.xml on Database Nodes.

For detailed information on using LDAP properties, see the topics beginning with Directory Identification and Search Properties.

-p ldap_port Specifies the LDAP service port. The -p option is deprecated.

The system defaults to the port designation associated with the naming convention specified for the LdapServerName property.

If you need to specify a port other than that associated with the LdapServerName property, use the -O option to change the LdapServerName to include the optional port designation.

See LdapServerName.

-q Specifies that tdsbind run in “quiet” mode, that is, suppress the display of LDAP properties and values, and show only user-specific information.
-R referral_setting Specifies whether referral chasing is enabled or disabled.

If you do not specify this option, tdsbind uses the value of the LdapClientReferrals property, which is set to off by default.

Teradata recommends that you do not use referral chasing.

See LdapClientReferrals.

-r random_device Specifies the name of a device, FIFO, or pipe that provides random bits when the default /dev/[u]random (the built-in Linux random number generator) is not available, or if an alternate source is preferred.

If you do not specify a value for this option, the system defaults to /dev/[u]random, or to the value of the LdapClientRandomDevice property, if it is configured.

See LdapClientRandomDevice.

-S system_fqdn Specifies the FQDN of the directory object that defines the Teradata Database server (the tdatSystem object).

By default, tdsbind uses the value of the LdapSystemFQDN property.

See LdapSystemFQDN.

-s If you use this option, the system initializes TDGSS as if it were a configured database node, and is the default if the tdsbind statement does not define other TDGSS initializing criteria.

You cannot use this option if you use either the -c or -t option.

-t directory_name Specifies a directory containing a different version of the TDGSS bin and etc directories. This argument causes the system to initialize TDGSS in a test environment instead of the normal default location.

You cannot use this option if you use either the -c or -s option.

-U td_user Specifies a Teradata Database username, which tdsbind uses, along with the IP address specified in -I ip_add, to evaluate whether a user logon is restricted.

If you use this option, the bind process does not take place, because it is not required to test IP restrictions. Tdsbind ignores any specified bind options, for example, the database user password.

When this option is specified, the -I option is required.

-u dir_user The authentication identifier for the directory user; a valid directory user authcid.

You must specify this option if you are binding a directory user, for example, when you test directory user authentication and authorization characteristics against a new TdgssUserConfigFile.xml. There is no default.

This option is not required when you use tdsbind to test user IP restrictions. Instead, use the -U option to specify a database user.
-V Specifies the debug flags to be passed to the OpenLDAP client API.

This property is only supported for Teradata Database on Linux.

If this property is omitted, tdsbind uses the value of the LdapClientDebug property from the TDGSS user configuration file. The default is no.

You can use the LdapClientDebug property to assist the Teradata Support Center in debugging LDAP directory issues, but this property is not user setable.
Do not use this option without Teradata Support Center assistance. Values other than the default may cause system malfunction.
-v version Initializes a specific version of TDGSS. Tdsbind defaults to the current TDGSS version. Like -t, you cannot use -v with the -c or -s option.
-w password The password for the directory user specified in the -u option.

By default, tdsbind interactively prompts the user for a password and securely reads the submitted password.

-X user_base_fqdn The fully qualified distinguished name of any object in the directory that is the base of a subtree which contains the user objects.

If you omit this property, tdsbind uses the value of the LdapUserBaseFQDN property.

See LdapUserBaseFQDN.

If the value of the LdapUserBaseFQDN property is not set, tdsbind uses the value for the tdsbind -B option.