Authentication Mechanisms

ODBC Driver for Teradata® User Guide

brand
Teradata Tools and Utilities
prodname
ODBC Driver for Teradata
vrm_release
16.20
category
User Guide
featnum
B035-2526-108K

To enable network security, an Authentication Mechanism that corresponds to one of the mechanisms configured on the gateway by a system administrator must be specified, and other parameters such as password and username must be passed from the client application through network security. The following table summarizes the authentication mechanisms.

Authentication Mechanism Name Client/Servers Description
Teradata 2 TD2 All The Teradata 2 (TD2) mechanism provides authentication using a Teradata Database username and password.

The difference between Teradata 1 and Teradata 2 is that the Teradata 2 encryption key offers a higher degree of security.

Encryption: When the Teradata 2 (TD2) mechanism is selected, both logon string and data are encrypted.

Availability: The Teradata 2 mechanism is available on all supported client and server platforms.

Username and Password: A valid Teradata username and password are always required.

TDNEGO TDNEGO All A security mechanism that automatically determines the actual mechanism required, based on policy, without user's involvement. The actual mechanism is determined by the TDGSS server configuration and by the security policy's mechanism restrictions. This simplifies user logons, because the user does not need to specify which logon mechanism to use. It also provides better ease of use and improved support for applications and tools which do not support specification of logon mechanisms.

The Client and Server versions of TDNEGO automatically negotiate and select an appropriate TDGSS security mechanism to use.

Encryption: Depends based on the chosen mechanism.

Availability: The TDNEGO mechanism is available on all supported client and server platforms.

Username and Password: Depends based on the chosen mechanism.

LDAP LDAP All w/ LDAPv3 Library When the LDAP authentication mechanism is employed, the server authenticates by binding to the LDAP directory using the username and password.

Encryption: When LDAP is selected, both the logon string and data are encrypted.

Availability: The LDAP mechanism is available on all supported client and server platforms, which provide an LDAPv3 compliant library.

Username and Password: The application supplies a username, password, and domain or realm.

When the user has been authenticated, an implicit logon will proceed using a Teradata username derived from the directory.

The gateway directory maps the username to a specific Teradata username or to the system-defined username EXTUSER.

If the directory maps the username to a specific Teradata username, then that user must have previously been granted the logon with null password privilege.

If the directory maps to EXTUSER, then the characteristics of the user (role, rights, space, and so forth) are determined from settings in the directory.

Kerberos KRB5 Windows

Linux

Apple OS X

AIX

Solaris OP

Solaris SP

Once the identity of the user has been verified by Kerberos (KRB5), the KRB5 mechanism implicit logon proceeds using the same username as the Teradata username.

Encryption: When KRB5 is selected, both the logon string and data are encrypted.

Availability: The KRB5 mechanism is available on all supported client and server platforms.

Username, Password, Domain and Realm: The application supplies a username, password, and domain or realm.

The username must have previously been granted the logon with null password privilege.

Single Sign On: The Kerberos (KRB5) mechanism supports SSO where no username and password are provided explicitly by the application, but both are derived from the security context of the application.

For KRB5 authentication, ODBC Driver for Teradata performs reverse DNS lookup and must succeed. The reverse lookup result must be the FQDN of the Teradata Database node.

JSON Web Token JWT All The client’s credentials (username and password) is authenticated by UDA User Service. The UDA User Service returns a JSON Web Token containing encrypted credentials. The client uses this token to connect to the database.
The client needs to provide the following two parameters to the ODBC Driver in the connection string when using JWT authentication mechanism:
AUTHENTICATION=JWT;
AuthenticationParameter={token=<JWT token>};
where <JWT token> is the token obtained from the UDA User Service.

Encryption: When JWT is selected, both the logon string and data are encrypted.

Availability: The JWT mechanism is available on all supported client and server platforms.

Username, Password, Domain and Realm : The username and password are encrypted in the JWT token.

Single Sign On: The JWT mechanism supports SSO as long as the JWT token is not expired.

Other To be determined All Users can define other authentication mechanisms.

Encryption: A user-defined mechanism can also provide logon and data encryption.

Username and Password: Input to a mechanism will be the username, password, and possibly authentication information specific for the particular mechanism.