LDAP USER to permanent Database Users

Database

LDAP USER to permanent Database Users

We're implementing LDAP Authentication (only Authentication not Autherization) with Teradata, we didn't want to go with (authentication & authorization) to avoid the extra efforts on the directory and EXTUSR issues. We will create an exact matching users on DB side like the LDAP users, so users authenticated from LDAP will inherit privileges of the matching DB users. Our questions is: 1. Do the LDAP user will inherit the roles assigned to the matching database user or only the direct system/object privileges. 2. we need to block access for the user using TD2 and only allow LDAP authentication; can we revoke logon right from the database user and the LDAP user still be able to logon, or our only option is to alter the database password for all database users, if there's another way to block TD2 logon for the database users please suggest.
4 REPLIES
Teradata Employee

Re: LDAP USER to permanent Database Users

If the directory users are mapped to database users, the database users' roles apply (including activating the specific rolename or ALL roles as default).

 

If every user (except DBC) is going to be authenticated via LDAP, then you can use gtwcontrol settings to prevent TD2 logins. But if some users need to remain TD2 and you want others restricted to LDAP only, you should modify the database password to something the users do not know (even "FOR USER" to mark it expired), and also change their profile password options to something impossible to satisfy (e.g. max length=1, but must include numeric and alpha and special characters) so they can't modify their own TD2 password (after logging on via LDAP) and then go back to using TD2.

Enthusiast

Re: LDAP USER to permanent Database Users

Hi Fred,

 

i am beginning with LDAP (Teradata v15.00): about passwords for LDAPed users i thought we just had to set LOGON WITH NULL PASSWORD at user level.

is it in addition of changing user password to a password the user doesn't know ? 

Thanks

Teradata Employee

Re: LDAP USER to permanent Database Users

Since the client is allowed to request an authentication mechanism (plus, drivers default to native TD2), additional steps must be taken if you intend to "force" certain users to use LDAP authentication.

Enthusiast

Re: LDAP USER to permanent Database Users

Thanks Fred,

i'm always going on, trying to connect via LDAP ... unsuccessfully. 

i find on my TD VM two configuration files "resolve.conf" and "resolve.conf.netconfig" whith references to IPaddress which can't be resolved (non-existent domain).  

where do those addresses come from ? 

shall i have to update the two files with Ldap Server address ?

 

Pierre