16.10 - Explanation of Single Sign-on Examples - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

The following explains logon terms used in the Single Sign-on example.

Syntax Element Description
mech_name Required only if KRB5 is not used. Specify the SPNEGO mechanism for Kerberos authentication from a Windows .Net client.
If no mechanism and no user credentials are specified, the system assumes a single sign-on and authenticates with Kerberos.
authorization_qualifier Required if users are authorized by a directory, that is, the KRB5 mechanism has AuthorizationSupported=yes:
  • The directory user is mapped to multiple user or profile objects (for all mechanisms).
  • LDAP uses SASL/DIGEST-MD5 binding (the default), the directory offers more than one realm, and the value of the LdapServerRealm property is to the default “” (for the LDAP mechanism only).
Individual specifications within the .logdata statement must be separated by white spaces.

If the matching directory user is mapped to multiple database users:

If the directory user is mapped to more than one database user, specify the user with the database privileges needed for the session in the form:

user= database_username

The database username can be either a database user or EXTUSER.

If the matching directory user is mapped to multiple profiles:

  • If a directory user is mapped to multiple profiles, specify profile=profile_name to identify the session profile.
  • If the directory user is mapped to one or more database users, and also to a profile, the session defers to the separately mapped profile instead of the profile belonging to the mapped database user.

If the directory offers multiple realms:

Specify the realm as it appears in the directory, normally the fully qualified DNS name of the directory, for example:


The system processes realm information as follows:

tdpid/ Required. The tdpid identifies the Teradata Database system, Unity server, or host group to which the logon, if successful, connects.
, , User credentials are not required for single sign-on.

The , , is required as a place holder for the user credentials only if an account string is specified. Otherwise commas are not needed.

"account" Optional. The account string must be enclosed in double quotation marks. For information on accounts, see Database Administration.