16.10 - Option 4: Lightweight LDAP Authorizations - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

Overview

Lightweight LDAP Authorizations allow you to utilize your existing directory service to authorize Teradata Database users without modifying your directory to include Teradata-specific schema, structures, or entries. Lightweight LDAP Authorizations maps Teradata external roles to existing directory groups.

Advantages

  • Works with LDAPv3 compliant directory servers (LDAP and KRB5).
  • No Teradata infrastructure or objects need to be added to the customer's directory server.
  • Because Teradata-specific entries are not required in the directory, you can use directory management tools, such as Microsoft's Management Console snap-ins to manage your directory.
  • There is no impact to your current LDAP configuration. If you previously configured Teradata-specific objects in your directory you can continue to use that model and this new capability will not affect you.

    You cannot use both lightweight authorizations and Teradata-specific directory objects. To switch to lightweight authorizations simply modify the TdgssUserConfigFile.xml. You can leave your Teradata-specific objects in the directory. You can optionally remove the Teradata-specific entries from your directory after you are sure lightweight authorizations meets the needs of your site.

Installs, Upgrades, and Backdown

Lightweight LDAP authorizations must be manually enabled on installs and upgrades.

The back down from Release 16.0 to any pre-16.0 release is done by removing all software and doing a fresh install followed by a sysinit.

To backdown:

  1. Make a backup of the TdgssUserConfigFile.xml file.
  2. Edit TdgssUserConfigFile.xml to remove any edits that are not compatible with the target version.
  3. Run the run_tdgssconfig utility: /opt/teradata/tdgss/bin/run_tdgssconfig
  4. Run tpareset to activate the changes to the TDGSS configuration:
    tpareset -f “use updated TDGSSCONFIG GDO”

Lightweight LDAP Authorization Modes and Compatibility

  • If you do not want to use lightweight LDAP authorizations do not add <AuthSearch> to TdgssUserConfigFile.xml.
  • If you no longer want to use lightweight LDAP authorizations remove <AuthSearch> from TdgssUserConfigFile.xml.
  • Pre-16.0 clients may connect to to a Teradata Database 16.0 using lightweight LDAP authorizations.
  • If the user is a member of multiple directory groups all the groups will be included in the search and the names of the groups will identify the external roles the user can occupy.
  • If a user is not a member of any directory group, then no role is returned. The user is allowed to log on, but the user is not allowed to occupy external roles. This is equivalent to authentication-only logons.
  • If the user authentication fails, the logon fails.

Search Performance

The lightweight LDAP authorizations feature searches your LDAP directory for groups and maps them to Teradata external roles. For the most efficient searches Teradata recommends limiting the scope of the directory search; for example, by adjusting the search base and scope (onelevel vs. subtree). This is similar to how you optimize the scope of searches for users as discussed in Optimizing Directory Searches.