Disable TD2 logon but allow LDAP for certain users

Database

Disable TD2 logon but allow LDAP for certain users

Hi

We have LDAP authentication at Customer site for users, but also use TD2 connection for internal accounts such as SYSDBA.

When the end user accounts are created, they have a default password assigned as required in the create user statement, but then we grant logon with NULL password to allow for LDAP authenication, i.e. GRANT LOGON ON ALL TO <UserId > WITH NULL PASSWORD ;

An end user could logon with TD2 if the password is known that was assigned in the create user statement.  Is there a way to disable TD2 logons for the end users only, allowing them to only logon with their LDAP password ?

Cheers

Steven

Tags (1)
7 REPLIES

Re: Disable TD2 logon but allow LDAP for certain users

There is a way to do this by enabling the strong password profile settings. 

Let me know if you need further details.

Geeta.

Re: Disable TD2 logon but allow LDAP for certain users

Hi,

can you pls share more details on how to enable strong password profile settings

Regards,

Chris

Teradata Employee

Re: Disable TD2 logon but allow LDAP for certain users

Do you want all the end users to connect through LDAP only while your internal users (such as SYSDBA) allowed to connect through TD2? Are you trying to find a way to do this at the database server?

Teradata Employee

Re: Disable TD2 logon but allow LDAP for certain users

If they don't know the password, they can't use TD2 authentication. The issue is that someone could potentially authenticate via LDAP, then change their TD2 password, and they subsequently would be able to use TD2 successfully. But you can set a combination of password controls in the user profile that is impossible to satisfy, which will prevent the users from changing their TD2 password.

Teradata Employee

Re: Disable TD2 logon but allow LDAP for certain users

Hi, Please share an example of password setting that cannot be satified.  

Teradata Employee

Re: Disable TD2 logon but allow LDAP for certain users

Require some combination of upper/lower case letters, digits, special characters but restrict max length to 1.

Teradata Employee

Re: Disable TD2 logon but allow LDAP for certain users

Require some combination of upper/lower case letters, digits, special characters but restrict max length to 1 character.