If the directory users are mapped to database users, the database users' roles apply (including activating the specific rolename or ALL roles as default).
If every user (except DBC) is going to be authenticated via LDAP, then you can use gtwcontrol settings to prevent TD2 logins. But if some users need to remain TD2 and you want others restricted to LDAP only, you should modify the database password to something the users do not know (even "FOR USER" to mark it expired), and also change their profile password options to something impossible to satisfy (e.g. max length=1, but must include numeric and alpha and special characters) so they can't modify their own TD2 password (after logging on via LDAP) and then go back to using TD2.
i am beginning with LDAP (Teradata v15.00): about passwords for LDAPed users i thought we just had to set LOGON WITH NULL PASSWORD at user level.
is it in addition of changing user password to a password the user doesn't know ?
Since the client is allowed to request an authentication mechanism (plus, drivers default to native TD2), additional steps must be taken if you intend to "force" certain users to use LDAP authentication.
i'm always going on, trying to connect via LDAP ... unsuccessfully.
i find on my TD VM two configuration files "resolve.conf" and "resolve.conf.netconfig" whith references to IPaddress which can't be resolved (non-existent domain).
where do those addresses come from ?
shall i have to update the two files with Ldap Server address ?