In a Unity environment, the values of certain mechanism properties must maintain a required relationship between the TdgssUnityConfig.xml on the Unity server and the TdgssUserConfigFile.xml on connected Teradata Vantage systems. Allowable property configurations depend on whether you allow logons through both Unity and directly to connected database systems, and whether you want the same behavior for all logons.
Before configuring a property value, check the configuration requirements for the property.
For information on Unity configuration, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.
The following table defines property configuration rules, but does not describe how to determine specific values. Properties appear in the table in the approximate order they appear in containing mechanisms. Properties not shown in the table are not configurable
Property | Configuration on Unity and Connected Database |
---|---|
|
The values of these properties can
vary by mechanism, but for a specific mechanism the value must be
the same on Unity servers and all connected databases. If clients connecting
through Unity use the SPNEGO mechanism, you must copy SPNEGO
from the TdgssLibraryConfigFile.xml to the TdgssUnityConfig.xml
and set the MechanismEnabled property to yes on the Unity
server. See
Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.
|
DefaultMechanism | The default mechanism on the Unity servers and connected database systems must match if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity. |
DelegateCredentials | This property is not used for Unity,
and is set to ‘no’ in the TdgssLibraryConfigFile.xml by
default. On systems that previously set this
property to ‘yes’ in the TdgssUserConfigFile.xml for use with
Teradata Query Director (discontinued), you should edit the
value to ‘no’.
|
MutualAuthentication | Should be set to the same value on Unity servers and on all connected databases if the same authentication and authorization behavior is required for users logging on through Unity as those logging on directly to the connected database systems. |
VerifyDHKey | Editable only on the TD2 mechanism. Can be set differently on each database system and Unity server. |
TeradataKeyTab | Specifies a location for the keytab
file generated as part of setup for Kerberos authentication. The location can vary among database systems and Unity servers. |
UseLdapConfig | The UseLdapConfig property tells
Teradata GSS to look in a separate <LdapConfig> section for
certain LDAP property values. The LdapConfig section defines
multiple directory services and configures a set of related
mechanism properties for each service. Should be set to the same value on
Unity servers and on all connected databases if the same
authentication and authorization behavior is required for users
logging on through Unity as those logging on directly to the
connected database systems.
|
<LdapConfig> section | Among configuration files for Unity
servers and connected database systems, each service within the
<LdapConfig> section should have the same:
|
LdapServerName | Identifies the authenticating LDAP
directory or directories. The value can be the same on Unity servers and on connected database systems if all authentication is done in the same directory. In some cases, the value can be different on Unity servers than on connected database systems. For example, if users can log on either through Unity or directly to each connected database system, you can set the value differently for each configuration file to authenticate users in a directory local to the tdpid for the logon. |
|
The LdapSystemFQDN identifies the top level system object in the directory that is the parent of the LDAP authorization structure. If directory users can only log on through Unity, only the LdapSystemFQDN configured on Unity is in effect. If directory users can log on either through Unity or directly to one or more of the Teradata Vantage systems managed by Unity:
If Unity and connected database systems all point to the same system object, then for LdapBaseFQDN, LdapGroupBaseFQDN, and LdapUserBaseFQDN, the property value on Unity and on connected database systems should be the same. |
|
The value of each property in this
group should be the same on Unity servers and all connected
databases that use the same LdapServerName value. If the LdapServerName value is different among database systems or between a system and a Unity server, the value of these properties can also be different. |
LdapClientDebug | Can be set differently on Unity servers than on connected database systems. |
|
Identifies a system file or device that can generate a random number for use in certain LDAP processes. The value of each property can be different on Unity servers and connected Vantage systems. |
LdapClientMechanism | The value of this property must match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity. |
|
The location of the certificate can
be different among Unity servers and connected database systems. The contents of the file should be the same wherever the value of LdapServerName is the same. |
|
The value of each property can vary among Unity servers and connected database systems. |
|
The value of each property must match among Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity. |
|
The value can vary between the Unity servers and connected database systems. |
|
The value of each property should match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity. |
LdapAllowUnsafeServerConnect | The property value should be the same on Unity servers and any connected database system that uses the same LdapServerName value. |
|
The value of each property does not
need to be the same on Unity servers and connected database systems
Teradata recommends that you do not edit these values. |
MechQOP elements (legacy, default, low, medium, and high) | The configuration of each element should match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity. |
<LdapConfig> | |
IdentityMap and IdentitySearch elements | |
RequiredLibrary element (KRB5 only) | The filename does not need to match between Unity servers and connected database systems, but the Kerberos packages contained in the file must be the same version. |
PROXY mechanism properties | See Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520. |
|
Set to yes on Unity servers and all connected database systems. |
|
File names do not need to match between Unity servers and connected database systems. |
|
Only configured on database systems. |
|
File and directory names do not need to match between Unity servers and connected database systems, however, the file structure from which the values of these properties are taken, does use similar naming. |