16.10 - LdapGroupBaseFQDN - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

This property helps LDAP narrow the directory search during user authorization, when directory groups are mapped to one or more Teradata Database external roles.

For additional information on optimizing directory searches, see Configuring LDAP Properties to Narrow the Search Base.

Valid Settings

  • “” (default), that is, the property does not specify an object to narrow the search
  • The FQDN of a directory object that contains the group objects that map to Teradata Database role objects in the directory.

Supporting Mechanisms for LdapGroupBaseFQDN

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
KRB5 May Be Edited
SPNEGO
LDAP
This property appears by default in the library configuration file for the LDAP mechanism. You can manually add it to the TdgssUserConfigFile.xml for other supporting mechanisms, if needed. See About Editing Configuration Files.

Editing Guidelines

  • You should specify a value for LdapGroupBaseFQDN if the AuthorizationSupported property for the mechanism is set to yes.
  • For best results, set the value of LdapGroupBaseFQDN to the FQDN of an object one level higher in the directory tree than the highest level group object that maps to Teradata Database external role objects.
  • If you do not edit the default value for this property (“”), LDAP uses the value of the LdapBaseFQDN to search the directory, however, because LdapBaseFQDN is deprecated, this approach is not recommended.
  • Edit this property on database nodes and on the Unity server, if used. Also see Coordinating Mechanism Property Values.