16.10 - Example: Test of IP Access Restrictions for Directory Users - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Suppose the IP GDO defines IP access restrictions as follows:

<?xml version="1.0" encoding="UTF-8"?>
<tdat name="tdat">
  <system name="tnt38">
    <users tag="users">
      <user name="drct01"/>
      <user name="drct02"/>
      <user name="perm01" tag="tagperm01"/>
    </users>
    <ipfilters>
      <ipfilter name="filter1" type="restrictive">
        <allow ip="141.206.36.0/24"/>
        <allow ip="141.206.35.0/24"/>
        <deny ip="141.206.35.88/32"/>
        <appliesto tagref="allusers"/>
      </ipfilter>
    </ipfilters>
  </system>
</tdat>

Use tdsbind to test user restrictions (without binding), based on the XML document entry above, to determine which restrictions apply to user dlj for the IP addresses from which the user normally logs on to the database.

The last line of the output indicates whether the logon is allowed or denied.

$ tdsbind -U djl -I 141.206.35.87
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
 LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.87> is allowed
$ tdsbind -U djl -I 141.206.35.88
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
   LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.88> is not allowed
$ tdsbind -U djl -I 141.206.35.89
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=domain,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=domain,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=domain,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
  LdapServerRealm: esrootdom
Logon by user <djl> from IP <141.206.35.89> is allowed
$

You can also use tdsbind to test an LDAP logon for a particular IP address, with binding.

$ tdsbind -u diperm01 -I 141.206.35.88
Enter LDAP password:
LdapGroupBaseFQDN: ou=groups,ou=testing,dc=doman,dc=com
 LdapUserBaseFQDN: ou=people,ou=testing,dc=doman,dc=com
   LdapSystemFQDN: cn=end2end,cn=tdat,ou=testing,dc=doman,dc=com
   LdapServerName: esroot
   LdapServerPort: 389
  LdapServerRealm: esrootdom
           FQDN: CN=diperm01,OU=people,OU=testing,DC=domain,DC=com
           GUID: 535cbe8b-3bc7-ff4a-a1f1-3c56886b7858
 Audit trail ID: AKNOL3CZ1Y55UVIPRHRLIQ01YLA
       Profiles: profperm01
          Roles: extrole01perm01, extrole02perm01, extrole03perm01
          Users: perm01
Logon by user <perm01> from IP <141.206.35.88> is not allowed
$