16.10 - Kerberos or LDAP Authentication with Directory Authorization - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  • The directory should be LDAPv3-compliant. See About Certified Directories.
  • The client from which the user logs on must be Windows, Linux, or UNIX (except IBM z/OS clients) and the system must be setup as shown in Working with Kerberos Authentication.
  • Verify that the MechanismEnabled property is set to yes for the authentication mechanism (KRB5, SPNEGO, or LDAP) on the database, the Unity (if used), and on all clients that use the mechanism.
  • Set the mechanism as the client default, or the user must select it at logon.
  • The user must have LOGON...WITH NULL PASSWORD privileges.
  • The username must follow these requirements:
    • For Kerberos authentication the authorized username must match a Teradata Database user having WITH NULL PASSWORD privileges, but the Teradata Database username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Teradata Database name must match and be granted WITH NULL PASSWORD. See About Logon Privileges.
    • For LDAP authentication, the directory user must be mapped to a database user having WITH NULL PASSWORD privileges.

      For username requirements, see the topics about logging on with the Kerberos and LDAP authentication in Logging on to Teradata Database.

  • Configure the authentication mechanism for directory authorization in the TdgssUserConfigFile.xml on all required databases and on the Unity server, if used. See Changing the TDGSS Configuration.
  • Configure the directory to map directory users to Teradata Database directory objects to define authorization criteria.