16.10 - Editing TdgssUserConfigFile.xml for Service Binds - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

You must edit the TdgssUserConfigFile.xml to enable service binds.

The following procedure includes steps that generates an encrypted version of the service password for use in configuring the TdgssUserConfigFile.xml, which avoids storing the value of LdapServicePassword property in plain text.
  1. Modify the TdgssUserConfigFile.xml and set the LdapServiceFQDN property with the bind account DN.
  2. Update TDGSSCONFIG.GDO. Run:
    run_tdgssconfig
  3. Generate a protected password using the tdspasswd command:
    1. At the Teradata command prompt, enter:
      $ tdspasswd -m  mechanism

      where mechanism is the authentication mechanism for which you are editing the TdgssUserConfigFile.xml; for example, ldap.

    2. The system prompts you to enter the new password.
      Enter New password:
      Confirm New password:
      The system does not display the password when you enter it.
    3. After the system confirms the new password, it generates and displays an encrypted version of the password, for example:
      $ tdspasswd -m ldap
      Enter New password:
      Confirm New password:
      AV8Jeq2cvjmAjiHgcSrAUoE=
      $
      Only the mechanism you specify in the -m option can use the encrypted password, and only for service binds.
    If the LdapServiceFQDN bind account DN is changed, the above steps must be run again, even if the bind account plain text password remains the same.
  4. Edit the mechanism to specify a service user and password for the service bind:
    <Mechanism Name="ldap">
       <MechanismProperties
            ...
         LdapServiceBindRequired="yes"
         LdapServiceFQDN="cn=service_id,ou=services,dc=domain,dc=com"
         LdapServicePassword="encrypted_password"
         LdapServicePasswordProtected="yes"
            ...
            />
    </Mechanism>
    The LdapServicePasswordProtected property is only an indicator of password protection status, and does not enable the protection.

    where:

    Property Value Description
    service_id The CN of the service user object in the directory.
    encrypted_password The encrypted password generated in step 1c (sub-step c of step 1.).
  5. Run the run_tdgssconfig utility to send the changes to the TDGSSCONFIG GDO:
    run_tdgssconfig
  6. Run tpareset from the Teradata Database node with the lowest ID number, to activate the changes to the TDGSS configuration.
    tpareset “use updated TDGSSCONFIG GDO”
  7. Repeat this procedure on the Teradata Unity server, if used. For information about Unity, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers (B035-2523) and Teradata Unity User Guide (B035-2520).
Service binds configured for LDAP apply it to all external authentication mechanisms.