Example: tdgssauth Verifying an Unmapped User's Authentication and Authorization Parameters Using LDAP - Advanced SQL Engine

Example: tdgssauth Verifying an Unmapped User's Authentication and Authorization Parameters Using LDAP - Advanced SQL Engine - Teradata Database

Security Administration

Product

Advanced SQL Engine

Teradata Database

Release Number

17.05

17.00

Published

September 2020

Language

English (United States)

Last Update

2021-01-23

dita:mapPath

ied1556235912841.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1100

lifecycle

Product Category

Teradata Vantage™

The example shows how to verify an unmapped user's authentication and authorization properties using LDAP from a given IP address. Run:

tdgssauth -u drct01 -m ldap -i 198.51.100.20

The user's name (-u) is the same as it is specified in a bteq .logon command. The -m option specifies the logon mechanism to use (LDAP in this case). The -i option specifies the IP address from which the user will connect.

Result:

 1> Please enter a password: 
 2>                        Status: authenticated, authorized
 3>                 Database user: drct01 [unmapped user, autoprovisioning candidate]
 4>                       Profile: profxu1
 5>                External roles: extrole01xu1, extrole02xu1, extrole03xu1 
 6>            Authenticated user: ldap://dsa1.example.com:389/uid=drct01,ou=principals,dc=example,dc=com
 7>        Audit trail identifier: drct01
 8>        Authenticating service: dbssvc
 9>     Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]
10>       Mechanism specific data: drct01
11>
12> Security context capabilities: replay detection
13>                                out of sequence detection
14>                                confidentiality
15>                                integrity
16>                                protection ready
17>                                exportable security context
18>
19> Minimum quality of protection: none
20>                       Options: none

The following explains the output from the command:

Line Number	Description
1> Enter a password	When prompted, enter the user's password for the specified mechanism. In this example, enter the user's LDAP password because the specified mechanism is ldap. If KRB5 is the specified mechanism, enter the user's KRB5 password. Use -w and specify the user's password on the command line to avoid being prompted for the password. It is not recommended to specify the user's password on the command line.
2> Status: authenticated, authorized	The user authenticated and authorized successfully.
3> Database user: drct01 [unmapped user, autoprovisioning candidate]	The user is not mapped to a Vantage database user (an unmapped user) and this user is a candidate for autoprovisioning.
4> Profile: profxu1	The user has the profxu1 profile associated with the session.
5> External roles: extrole01xu1, extrole02xu1, extrole03xu1	The user is permitted to occupy the three external roles, extrol01xu1, extrole02xu1, and extrole03xu1. The DBA must create those roles in the database and grant them rights.
6 > Authenticated user: ldap://dsa1.example.com:389/uid=drct01,ou=principals,dc=example,dc=com	The identity of the user in the directory server and the server that authenticated the user.
7> Audit trail identifier: drct01	The user's audit trail identifier used in event logs caused by a session logged on as this user.
8> Authenticating service: dbssvc	The service name of the service used to authenticate the user. The service is configured in the <LdapConfig> section of the TdgssUserConfigFile.xml file.
9> Actual mechanism employed: ldap [OID 1.3.6.1.4.1.191.1.1012.1.20]	The name and Object Identifier (OID) of the actual authentication mechanism used to authenticate the user. Note, the TDNEGO mechanism reports the actual mechanism that it selected to authenticate the user. Other explicitly named mechanisms report themselves here.
10> Mechanism specific data: drct01	The mechanism specific data. This data is used by other parts of the system during the login process and is not used by TDGSS. In most, if not all cases, this simply provides the name of the user from the -u command line option.
12 - 17> Security context capabilities: replay detection, out of sequence detection ... exportable security context	These lines tell us what a particular security context provides. The security context is the one established for the named user using the specified mechanism.
19> Minimum quality of protection: None	The minimum QoP that the user is required to use for the life of the session. In this example, during the life of a session this user can use any QoP including no QoP at all.
20> Options: none	The connection options in effect for this user. In this case, the word none indicates that this is a normal connection. This value may contain has-policy or no-direct-connect. has-policy says that the user must use only a plaintext connection to the database and is used for very specialized purposes. no-direct-connect says that the user is not permitted to connect directly to the database, but must instead come through Unity.