16.10 - LdapServerName - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The value of the LdapServerName property tells TDGSS which directory to use for authentication and authorization of directory users.

Valid Settings

  • “”, that is, _ldap._tcp (default)
  • A valid URI or DNS SRV RR specification.

Sample Configuration for a LDAP Uniform Resource Identifier

scheme://server1[:port]/   scheme://server2[:port]/...”

where:

Syntax Element Description
scheme A valid URL scheme: ldap, ldaps, gc, or gcs
server1 The FQDN or IP address of the directory server.
Do not use a server IP address with Active Directory and DIGEST-MD5.

For fail-over protection, you can specify multiple directory servers, beginning with the primary server. TDGSS selects servers from the list in the order configured. If a server is unavailable, TDGSS tries the next server on the list.

The list of server names must be separated by spaces, and cannot exceed 256 characters. The entire string must be enclosed in double quotation marks.

For configuring systems connected to multiple directory services, see Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml.
[:port] The LDAP service port (optional).

If the URI does not contain a port designation, the system uses the default port designation for the specified scheme, for example:

  • ldap (389)
  • ldaps (636)
  • gc (3268)
  • gcs (3269)

Configuring DNS SRV Resource Records (RRs)

You can configure the LdapServerName property to tell LDAP to select an authenticating directory at random, from the DNS domain SVR RRs, if the RRs conform to IETF RFC 2782.

For details, see the following table or go to: http://www.ietf.org/rfc/rfc2782.txt.

Property Component and Value Description
Specify the default domain:

_scheme._tcp or “”.

Directs TDGSS to select a directory from those listed in the SRV RRs for the default domain.
Specify a non-default domain:

_scheme._tcp.domain_name

Directs TDGSS to select a directory from those listed in SRV RRs for the domain you specify.
Configure a site-aware domain name, for example:

_ldap._tcp.site_name._sites.domain

Directs TDGSS to select a directory that is local to the Teradata Database system to which the user logs on, from the SRV RRs for the domain. Also see Configuring LDAP for Site-Aware Authentication.

Supporting Mechanisms for LdapServerName

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
KRB5 May Be Edited
SPNEGO
LDAP
LdapServerName appears by default in the LDAP mechanism. You must add LdapServerName to KRB5 and SPNEGO and specify a value if AuthorizationSupported=yes.

Editing Guidelines

  • You must configure this property for any mechanism with AuthorizationSupported =yes.
  • Edit this property on database nodes and on the Unity server, if used.
  • If the default associated with the domain scheme is not the correct port, you can use the URI method to specify another port.
  • You can use the _ldaps._tcp or _gcs._tcp scheme to automatically enable SSL protection. For information on SSL, see SSL/TLS Protection Options.
  • If the directory is not Active Directory, and you specify _ldaps._tcp or _gcs._tcp, you may need to manually register the location of the directory service in the DNS. For Active Directory, the process is automatic.
  • You can use the LdapServerName property to provide directory fail-over protection, by specifying multiple directory servers in a space-separated list.
  • If you use the LdapServerName property to configure site-aware authentication:
    • If the DNS service for the domain in which the database resides is not the one where Active Directory registers its site-aware DNS SRV RRs (that is, a “foreign” service), then you must also manually configure the site-aware SRV RRs in the foreign DNS service. See Configuring LDAP for Site-Aware Authentication.
    • If configuring LDAP in a Unity environment, the configuration on the Unity server and on a connected database do not have to match if users directly logging on to the database and those logging on through the Unity server are authenticated in different directories. Also see Coordinating Mechanism Property Values.
    • If users directly logging on to a database and those logging on through the Unity server are authenticated by the same directory, the LdapServerName configuration for the database and the Unity server should match.
    • If you configure multiple directory services, you need to configure an LdapServerName for each service entry. See Configuring LDAP to Use Multiple Directory Services.