Prerequisites
- LDAPv3 compliant directory server, either LDAP or KRB5. See About Certified Directories.
- External roles defined in Teradata Vantage. See Creating and Dropping External Roles.The user does not need to belong to the roles in the database. However, the directory user needs to belong to a group that maps to a role. That gives the user the permission to occupy the role via SET ROLE <extrolename>.
- Group entries in the directory which correspond to the external roles.
Setting Up the Teradata Vantage Server to use Lightweight Authorizations
- On the Vantage node with the lowest ID number, navigate to the directory where TdgssUserConfigFile.xml is located:
cd /opt/teradata/tdat/tdgss/site
- Make a backup copy of TdgssUserConfigFile.xml.
- Edit TdgssUserConfigFile.xml to allow TDGSS to search the directory for
group-like entries:
- Set AuthorizationSupported to yes.
- Set AuthenticationSupported to yes.
- Add an <AuthSearch> section.
The <AuthSearch> section goes in the <Canonicalizations> area of the <LdapConfig> section or as a child of the <MechanismProperties> element. In both cases, <AuthSearch> is a sibling of <IdentitySearch> and <IdentityMap> elements.
For example:
Mechanism Name="ldap"> <MechanismProperties AuthenticationSupported="yes" AuthorizationSupported="yes" LdapBaseFQDN="dc=example,dc=com" … /> <AuthSearch Ref="service-id" Base="search-base" Scope="{onelevel|subtree}" MemberAttribute="member-attribute-name" ObjectClass="object-class-name" NamingAttribute="naming-attribute-name" <AuthSearchMap Match="regex" Pattern="pattern"/> /> </Mechanism>
See <AuthSearch> for details about each element.
- Update TDGSSCONFIG.GDO. Run:
/opt/teradata/tdgss/bin/run_tdgssconfig
- [Optional] Use tdgssauth to test the new configuration. See Working with tdgssauth.
- Run tpareset to activate the
changes:
tpareset -f “use updated TDGSSCONFIG GDO”