Once the external agent has authenticated the user, it passes the username to the directory for authorization of user access privileges, based on mappings to the matching directory user.
- Enable external authentication in the database. See About External Authentication Controls.
- At logon, the user must specify the authenticating mechanism from among the following:
- SPNEGO (not available for ODBC-based applications)Sign-On As using Kerberos authentication (KRB5 or SPNEGO mechanism) is usable only from Windows clients.
For a description of logons where LDAP does both authentication and authorization, see Logging on Using LDAP Authentication and Authorization.
- Configure the authentication mechanism:
- Set the AuthorizationSupported property for the authenticating mechanism to yes. The KRB5 and SPNEGO mechanisms set AuthorizationSupported to no by default.
- The mechanism must contain the LDAP properties and values shown in Option 3: Non-LDAP External Authentication with Directory Authorization.
- The logon username must match a username in the authorizing directory, and the matching directory user must be mapped to one or more Teradata Database objects, as shown in Provisioning Directory Users with Teradata Schema Extensions or Using Native Directory Schema to Provision Directory Users.