16.10 - Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The <LdapConfig> section must contain at least:

  • 1 <Service>
  • 1 canonicalization, that is, 1 <Identity Map> or <Identity Search> element
  1. Create the <LdapConfig> section by adding the following elements to the TdgssUserConfigFile.xml. The <LdapConfig> section must be located directly following the <Mechanisms> section and on the same level as the <Mechanisms> section.

    For example:

    <LdapConfig>
      <Services>
        <Service
        ...
        </Service>
        <Service
        ...
        <Service
        ...
        </Service>	
      </Services>
      <Canonicalizations>
      ...
      </Canonicalizations>
    </LdapConfig>
  2. Add the optional <Tls> protection section as the first element of the configuration. This section is the global default for all configured services. For example:
    <LdapConfig>
      !-- The default TLS configuration goes here. -->
      <Tls
        LdapClientTlsCACertDir="/etc/ssl/certs"
        LdapClientTlsReqCert="allow"
        LdapClientTlsCACert="/etc/ssl/certs.pem"
        LdapClientTlsCert="/etc/ssl/certs/client.pem"
        LdapClientTlsKey="/etc/ssl/certs/key.pem"
        LdapClientTlsRandFile="/dev/rndom"
        LdapClientTlsCipherSuite="!LOW"/>
    If the TLS requirements vary among directory services, you can configure TLS separately for each <Service>, as shown in the next step. Also see SSL/TLS Protection Options. The settings for a service override the global settings.
  3. Configure a <Service> element for each directory service. For example:
    <Service
          Id="svc.div1root"
          LdapServerName="ldap://div1root/ ldap://tdgss/ ldap://wave/"
          LdapBaseFQDN="dc=div1rootdom,dc=div1dev,dc=corp"
          LdapServiceFQDN="cn=div1root,ou=services,dc=div1rootdom,
    dc=div1dev,dc=corp"
          LdapSystemFQDN="cn=end2end,cn=tdat,dc=div1rootdom,
    dc=div1dev,dc=corp"
          LdapServicePassword="password"
          LdapClientUseTls="no"
          LdapClientMechanism="simple">
        <!-- Overrides to the default TLS configuration go here. -->
          LdapClientTlsReqCert="demand"
          LdapClientTlsCert="/home/mycert"/>
        </Service>
        <Service
        ...
        </Service>	
    </Services>

    where:

    Property Description
    Id="svc.div1root"
    Uniquely names a directory service
    LdapServerName= 
    ...
     LdapClientMechanism=
    The list of LDAP properties that are required for the service, according to site needs.
    You only need to include properties with non-default values.
    LdapServicePassword="password " Set this property to the encrypted password created in step 4.
    LdapClientTlsReqCert="demand"
     LdapClientTlsCert="/home/mycert"/>
    Optional TLS sub-section that contains values to override the defaults in the main TLS section, for this service only.
  4. Use the tdspasswd tool to generate an encrypted password for the private key file.
    # tdspasswd -s svc.div1root
    Enter New password:
    Confirm New password:
    ASfb+l7norNgJHZZBufEmRS=

    where svc.div1root is the value specified for the Id property in the <Service> configuration shown in step 3.

    When prompted by the tool, enter a password. The tool generates an encrypted version of the password, for example: ASfb+l7norNgJHZZBufEmRS=

  5. Enter the encrypted version of the password as the value of the LdapServicePassword property in the configuration shown in step 3.