16.10 - Using tdsbind to Determine tdspolicy Search Parameters - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

Before using tdspolicy to investigate the security policy applicable to a user defined in the directory, you can run tdsbind to determine parameters that may be required to run tdspolicy.

Currently, tdsbind only returns data for users authenticated or authorized in the directory.

For example, for the directory principal dirUser1, run tdsbind from the Teradata Database command prompt:

1  C:> tdsbind -u dirUser1
2   Enter LDAP password:
3              LdapGroupBaseFQDN: ou=groups,dc=domain1,dc=com
4               LdapUserBaseFQDN:
5                 LdapSystemFQDN: ou=system1,ou=tdat,dc=domain1,dc=com
6                 LdapServerName: _ldap._tcp.domain1.com
7                 LdapServerPort: 389
8               LdapClientUseTls: yes
9            LdapClientTlsCACert:  /opt/teradata/tdgss/site/certs/ server.pem
10          LdapClientTlsReqCert: demand
11           LdapClientMechanism: simple
12               LdapServiceFQDN: cn=teradata1,ou=services,dc=domain1,
13  LdapServicePasswordProtected: yes
14           LdapServicePassword: configured
15       LdapServiceBindRequired: yes
15         LdapClientTlsCRLCheck: none
16  LdapAllowUnsafeServerConnect: yes
17                 UseLdapConfig: yes
18        AuthorizationSupported: yes
20             FQDN: uid=dirUser1,ou=principals,dc=domain1,dc=com
21         AuthUser: ldap://dsa1.domain1.com:389/uid=dirUser1,  ou=principals,dc=domain1,dc=com
22     DatabaseName: dirUser1
23          Service: local
24         Profiles: profile01
25            Roles: extrole01, extrole02, extrole03
26            Users: perm01


  • Line 1 specifies drct01, a directory principal user name.
  • Line 12 shows the DN of the database service (tdatSystem object) in the directory
  • Line 20 shows the DN of the directory principal, which is required as a tdspolicy entry if the directory user is not mapped to a database user object.
  • Line 23 indicates the name of the directory service that authenticated the -u user.
  • Line 24 shows a profile that is mapped to the directory user.
  • Line 26 shows a Teradata Database user that is mapped to the directory user. If the directory user is not mapped to a Teradata user, line 26 does not appear.
You can use the -q option to return only lines 20 through 26, which include all user mappings.