LDAP USER to permanent Database Users


LDAP USER to permanent Database Users

We're implementing LDAP Authentication (only Authentication not Autherization) with Teradata, we didn't want to go with (authentication & authorization) to avoid the extra efforts on the directory and EXTUSR issues. We will create an exact matching users on DB side like the LDAP users, so users authenticated from LDAP will inherit privileges of the matching DB users. Our questions is: 1. Do the LDAP user will inherit the roles assigned to the matching database user or only the direct system/object privileges. 2. we need to block access for the user using TD2 and only allow LDAP authentication; can we revoke logon right from the database user and the LDAP user still be able to logon, or our only option is to alter the database password for all database users, if there's another way to block TD2 logon for the database users please suggest.
Teradata Employee

Re: LDAP USER to permanent Database Users

If the directory users are mapped to database users, the database users' roles apply (including activating the specific rolename or ALL roles as default).


If every user (except DBC) is going to be authenticated via LDAP, then you can use gtwcontrol settings to prevent TD2 logins. But if some users need to remain TD2 and you want others restricted to LDAP only, you should modify the database password to something the users do not know (even "FOR USER" to mark it expired), and also change their profile password options to something impossible to satisfy (e.g. max length=1, but must include numeric and alpha and special characters) so they can't modify their own TD2 password (after logging on via LDAP) and then go back to using TD2.