How do I connect to Teradata with LDAP?

by Nov 2, 2011

How do I connect to Teradata with LDAP authentication using Aqua Data Studio?

Response

Niels Gron over 11 years ago
The authentication mechanism for a database server login is controlled by the JDBC driver of the vendor. Each vendor has non-standard properties for their options. The Teradata JDBC driver does have options for LDAP.

The properties seems to be LOGMECH, with the options {TD1/TD2/KRB5/LDAP}. In Aqua Data Studio you can go to the Server Registration->[Driver] tab and add your properties. See my attached screenshot for an example. There is also the LOGDATA properties, which I’ve attached a screenshot from the Teradata JDBC documentation to indicate the possible values for the LDAP mechanism (eg LOGDATA=’dn:cn-John Smith, cn=users, dc-corp,dc-teradata,dc-compassword-secret’).

-Niels

Attachments.zip

Niels Gron over 10 years ago
From the Teradata documentation :

a. Update tdgssconfig.jar with the modified TdgssUserConfigFile.xml.

b. Modifiy modelmanager-ds.xml

The URL connection should be: “jdbc:teradata://localhost/DATABASE=mmMeta,TMODE=TERA,LOGMECH=LDAP,L OGDATA=’authcid=dn:cn=TWM01,dc=tera,dc=data password=TWM01’”

c. Remove username and password attributes from modelmanager-ds.xml.

For LDAP authentication, the logdata must contain at least the user’s authcid (authentication id) and the user’s password. The LDAP logdata parameters are space separated and not comma separated.

This form of logdata will work with Sun and few other directories using DIGEST-MD5 binding, it would not work with Active Directory or ADAM.

Assuming that you are using a Sun or other non-Microsoft directory and you have Teradata schema installed in your directory service, the user “cn=twm01,dc=tera,dc=data” is explicitly mapped to a Teradata user, profile or role. Otherwise, the Teradata user name would be taken from the first 30 characters of your authcid , which would make your Teradata user name as “dn:cn=TWM01,dc=tera,dc=data” which is not the expected one.

If you’re using Active Directory, it is recommended to use DIGEST-MD5 binding and your domain user name for the authcid or simple binding and the contents of the user’s userPrincipalName attribute as the authcid.

If you’re using ADAM, it is recommended to use simple binding and the contents of the user’s userPrincipalName attribute as your authcid. In all cases where simple binding is employed, the best practice is to configure your directory service so that SSL or TLS protection is enabled and the database is configured to use either SSL or TLS when communicating with your directory service.

NRGetic1 over 3 years ago in reply to Niels Gron
We are facing a similar issue. Can you guide us to the #1 above i.e.
Update tdgssconfig.jar with the modified TdgssUserConfigFile.xml. How to open and modify the jar file?

Similarly, provide steps on modifying modelmanager-ds.xml