16.10 - Using tdsbind to Determine tdspolicy Search Parameters - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Before using tdspolicy to investigate the security policy applicable to a user defined in the directory, you can run tdsbind to determine parameters that may be required to run tdspolicy.

Currently, tdsbind only returns data for users authenticated or authorized in the directory.

For example, for the directory principal dirUser1, run tdsbind from the Teradata Database command prompt:

1  C:> tdsbind -u dirUser1
2   Enter LDAP password:
3              LdapGroupBaseFQDN: ou=groups,dc=domain1,dc=com
4               LdapUserBaseFQDN:
5                 LdapSystemFQDN: ou=system1,ou=tdat,dc=domain1,dc=com
6                 LdapServerName: _ldap._tcp.domain1.com
7                 LdapServerPort: 389
8               LdapClientUseTls: yes
9            LdapClientTlsCACert:  /opt/teradata/tdgss/site/certs/ server.pem
10          LdapClientTlsReqCert: demand
11           LdapClientMechanism: simple
12               LdapServiceFQDN: cn=teradata1,ou=services,dc=domain1,
 dc=com
13  LdapServicePasswordProtected: yes
14           LdapServicePassword: configured
15       LdapServiceBindRequired: yes
15         LdapClientTlsCRLCheck: none
16  LdapAllowUnsafeServerConnect: yes
17                 UseLdapConfig: yes
18        AuthorizationSupported: yes
19
20             FQDN: uid=dirUser1,ou=principals,dc=domain1,dc=com
21         AuthUser: ldap://dsa1.domain1.com:389/uid=dirUser1,  ou=principals,dc=domain1,dc=com
22     DatabaseName: dirUser1
23          Service: local
24         Profiles: profile01
25            Roles: extrole01, extrole02, extrole03
26            Users: perm01

where:

  • Line 1 specifies drct01, a directory principal user name.
  • Line 12 shows the DN of the database service (tdatSystem object) in the directory
  • Line 20 shows the DN of the directory principal, which is required as a tdspolicy entry if the directory user is not mapped to a database user object.
  • Line 23 indicates the name of the directory service that authenticated the -u user.
  • Line 24 shows a profile that is mapped to the directory user.
  • Line 26 shows a Teradata Database user that is mapped to the directory user. If the directory user is not mapped to a Teradata user, line 26 does not appear.
You can use the -q option to return only lines 20 through 26, which include all user mappings.