Setting Up Directory Authentication and Authorization - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™
  1. Enable external authentication in the database. See About External Authentication Controls.
    • For the Vantage nodes with gateway installed, run:
      gtwcontrol -a ON
    • And, on all Vantage nodes, run dbscontrol and enter m g 26 0
      dbscontrol m g 26 0
  2. Grant external authentication privileges to the matching database users. See About External Authentication Requirements.
  3. Verify that the TdgssUserConfigFile.xml contains the following settings. Run dumpcfg to view the TDGSS configuration.
    • MechanismEnabled = “yes” (on both the server and clients)
    • AuthorizationSupported = “yes” (on all database nodes)

      If AuthorizationSupported is not set to yes, the directory user can only have the database privileges available to the matching database username.

  4. (Optional) To use auto provisioning enable the DBSControl AutoProvision parameter.
    dbscontrol m g 81 T
  5. Configure the required LDAP mechanism properties in the TdgssUserConfigFile.xml. See Directory Identification and Search Properties:
    • LdapServerName
    • LdapServerRealm (on some systems)
  6. Complete edits for the TdgssUserConfigFile.xml and enable them on the systems. The changes are made in the are made in the TDGSS site directory. See Changing the TDGSS Configuration. For database nodes, perform the steps in Making Changes to TdgssUserConfigFile.xml on Database Nodes.
  7. To configure Unity servers, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.
  8. Set the LDAP mechanism as the default on all affected clients, or instruct users to specify the LDAP mechanism in the logon string. See the appropriate TTU client guide for how to configure a default mechanism for your client.
  9. Use the logon format for LDAP authentication. See Logging on Using LDAP Authentication and Authorization.