If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdsbind to check whether the GDO applies the expected IP restrictions to a mapped directory user.
- From the /bin file, run the tdsbind utility to determine if the restrictions contained in the GDO affect users as expected. Test several user names against IP addresses from which each user should, and should not, be restricted from logging on to the database.
$ tdsbind -U username -I IP_address
The Tdsbind Option... Specifies... -U username a Teradata Database username that tdsbind tests in combination with the specified IP address to determine if any IP restrictions apply. -I IP_address an IP address from which the username can log on, for example, 18.104.22.168.
The tdsbind utility returns output similar to:
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com LdapServerName: esroot LdapServerPort: 389 LdapServerRealm: esrootdom Logon by user <username> from IP <22.214.171.124> is [not allowed] [allowed] $The output includes the LDAP property values tdsbind used to test the IP restrictions on the user, in this case, the properties that describe directory characteristics necessary to find the IP restrictions.
If you use -u dir_user (diperm01) instead of -U td_user, the test performs a bind of the user and returns the following additional output, which includes the identity of the mapped permanent user (perm01) from which the directory user inherits IP restrictions:
FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858 Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA Profiles: profperm01 Roles: extrole01perm01, extrole02perm01, extrole03perm01 Users: perm01
- Based on the test results:
If the restrictions do not function as needed, you can do one or both of the following:
- Disable the restrictions.
- Edit the restrictions to correct any problems and then enable the revised restrictions.
When the restrictions pass the test without problems, the IP restrictions are complete.