16.10 - Setting Up Directory Authentication and Authorization - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  1. Enable external authentication in the database. See About External Authentication Controls.
    • For the Teradata nodes with gateway installed, run:
      gtwcontrol -a ON
    • And, on all Teradata nodes, run dbscontrol and enter m g 26 0
      dbscontrol m g 26 0
  2. Grant external authentication privileges to the matching database users. See About External Authentication Requirements.
  3. Verify that the TdgssUserConfigFile.xml contains the following settings. Run dumpcfg to view the TDGSS configuration.
    • MechanismEnabled = “yes” (on both the server and clients)
    • AuthorizationSupported = “yes” (on all database nodes)

      If AuthorizationSupported is not set to yes, the directory user can only have the database privileges available to the matching database username.

  4. (Optional) To use auto provisioning enable the DBSControl AutoProvision parameter.
    dbscontrol m g 81 T
  5. Configure the required LDAP mechanism properties in the TdgssUserConfigFile.xml. See Directory Identification and Search Properties:
    • LdapServerName
    • LdapServerRealm (on some systems)
  6. Complete edits for the TdgssUserConfigFile.xml and enable them on the systems. The changes are made in the are made in the TDGSS site directory. See Changing the TDGSS Configuration. For database nodes, perform the steps in Making Changes to the TdgssUserConfigFile.xml on Database Nodes.
  7. To configure Unity servers, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers (B035-2523).
  8. Set the LDAP mechanism as the default on all affected clients, or instruct users to specify the LDAP mechanism in the logon string. See the appropriate TTU client guide for how to configure a default mechanism for your client.
  9. Use the logon format for LDAP authentication. See Logging on Using LDAP Authentication and Authorization.