16.10 - Setting Up Lightweight LDAP Authorizations - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

Prerequisites

  • LDAPv3 compliant directory server, either LDAP or KRB5. See About Certified Directories.
  • External roles defined in the Teradata Database. See Creating and Dropping External Roles.
    The user does not need to belong to the roles in the database. However, the directory user needs to belong to a group that maps to a role. That gives the user the permission to occupy the role via SET ROLE <extrolename>.
  • Group entries in the directory which correspond to the external roles.

Setting Up the Teradata Database Server to use Lightweight Authorizations

  1. On the Teradata Database node with the lowest ID number, navigate to the directory where TdgssUserConfigFile.xml is located:
    cd /opt/teradata/tdat/tdgss/site
  2. Make a backup copy of TdgssUserConfigFile.xml.
  3. Edit TdgssUserConfigFile.xml to allow TDGSS to search the directory for group-like entries:
    1. Set AuthorizationSupported to yes.
    2. Set AuthenticationSupported to yes.
    3. Add an <AuthSearch> section.

      The <AuthSearch> section goes in the <Canonicalizations> area of the <LdapConfig> section or as a child of the <MechanismProperties> element. In both cases, <AuthSearch> is a sibling of <IdentitySearch> and <IdentityMap> elements.

      For example:

      Mechanism Name="ldap">    
         <MechanismProperties       
              AuthenticationSupported="yes"       
              AuthorizationSupported="yes"       
              LdapBaseFQDN="dc=example,dc=com"        
              … />
         <AuthSearch    
              Ref="service-id"    
              Base="search-base"    
              Scope="{onelevel|subtree}"    
              MemberAttribute="member-attribute-name"    
              ObjectClass="object-class-name"    
              NamingAttribute="naming-attribute-name"      
              <AuthSearchMap Match="regex" Pattern="pattern"/>
          />
      </Mechanism>

      See AuthSearch for details about each element.

  4. [Optional] Use tdgssauth to test the new configuration. See Working with tdgssauth.
  5. Update TDGSSCONFIG.GDO. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. Run tpareset to activate the changes:
    tpareset -f “use updated TDGSSCONFIG GDO”