16.10 - Testing Directory-Based IP Restrictions - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

If you map a directory user to database user object in the directory, the directory user inherits all the IP restrictions that are applicable to the mapped database user, as defined in the IP GDO. You can use tdsbind to check whether the GDO applies the expected IP restrictions to a mapped directory user.

  1. From the /bin file, run the tdsbind utility to determine if the restrictions contained in the GDO affect users as expected. Test several user names against IP addresses from which each user should, and should not, be restricted from logging on to the database.
    $ tdsbind -U  username  -I  IP_address

    where:

    The Tdsbind Option... Specifies...
    -U username a Teradata Database username that tdsbind tests in combination with the specified IP address to determine if any IP restrictions apply.
    -I IP_address an IP address from which the username can log on, for example, 141.206.35.87.

    The tdsbind utility returns output similar to:

    LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
      LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
        LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
        LdapServerName: esroot
        LdapServerPort: 389
      LdapServerRealm: esrootdom
    Logon by user <username> from IP <141.206.35.87> is [not allowed] [allowed]
    $
    The output includes the LDAP property values tdsbind used to test the IP restrictions on the user, in this case, the properties that describe directory characteristics necessary to find the IP restrictions.

    If you use -u dir_user (diperm01) instead of -U td_user, the test performs a bind of the user and returns the following additional output, which includes the identity of the mapped permanent user (perm01) from which the directory user inherits IP restrictions:

    FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com
               GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858
     Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA
           Profiles: profperm01
              Roles: extrole01perm01, extrole02perm01, extrole03perm01
              Users: perm01
  2. Based on the test results:

    If the restrictions do not function as needed, you can do one or both of the following:

    When the restrictions pass the test without problems, the IP restrictions are complete.