Setting Up Non-LDAP External Authentication with Directory Authorization - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢
  1. Make sure users that will use this method:
    • Are defined to Kerberos.
    • Are defined in the directory in such a way that they can be located by an <Identity Map> or <Identity Search>. See Optimizing Directory Searches.
  2. Complete the setup tasks listed for Option 2: Directory Authentication and Authorization, with the following changes:
    1. Do not configure the LDAP mechanism, because it is not used for authentication.
    2. Copy the following mechanism properties from the LDAP mechanism in the TDGSS library configuration file, into the TdgssUserConfigFile.xml for the authentication mechanism, KRB5 or SPNEGO:

      LdapServerName

      Optional LDAP identifications properties, if needed. See Optimizing Directory Searches.
      Some identification properties do not apply to this option.
    3. Because this option requires service binds, Teradata strongly recommends that you implement SSL or TLS protection. See SSL/TLS Protection Options.
      Non-LDAP authentication ignores the LdapClientMechanism property setting.
    4. Set the authentication mechanism (KRB5 or SPNEGO) as the default on all affected clients, or instruct users to specify the mechanism in the logon string.
  3. You can use either of the these logon forms: