The authentication credentials used to establish the session context are supplied to the .NET Data Provider for Teradata via the AuthenticationString property. The mechanisms that require credentials are Kerberos (SPNEGO) and LDAP. It is the responsibility of the application to ensure that the value supplied for the AuthenticationString conforms to the requirements of the authentication mechanism in use.
TDNEGO is a negotiating mechanism that will attempt to negotiate into one of the other supported mechanisms. It accepts all the authentication string formats which are supported by the other mechanisms.
The format of the authentication string for JWT authentication is as follows:
token=JWT
where JWT is the JSON Web Token to be used for authentication.
The format of the credential string for Kerberos authentication is composed of the following elements: "name", "realm", and "password", as follows:
name@realm@@password
The format of the components must conform to the following rules:
An occurrence of the '\' quoting character as the last character in a name component is illegal.
The '@', newline, tab, and backspace characters may be included using the quoting conventions described in (1a), (1b) and (1c) above.
The format for LDAP credentials is as follows:
Teradata Database | LDAP Authentication String Format |
Version 6.0 | authcid=authcid password=password [profile=profile] [user=tduser] |
Version 6.1 and above | authcid@@password [profile=profile] [user=tduser] authcid password=password [profile=profile] [user=tduser] |
Rules for the authcid= element:
Rules for the password= element:
Rules for the authcid=, password=, profile= and user= elements:
Following rules apply to these LDAP authentication credential formats:
authcid password=password authcid@@password
An application may provide authentication credentials directly using the AuthenticationString property. However, if the application specifies a UserId and Password, and the selected mechanism supports the generation of credentials, the .NET Data Provider for Teradata constructs the authentication credentials for the application. The mechanisms that currently support the generation of authentication credentials are Kerberos, LDAP, and TDNEGO.
Note |
---|
If the application has selected IntegratedSecurity, then the .NET Data Provider for Teradata ignores all values in UserId, Password, and AuthenticationString. |
The .NET Data Provider for Teradata composes the authentication credentials using the values supplied in UserId, Password and AuthenticationString.
The credentials are constructed as follows:
It is the responsibility of the application to ensure that the values supplied in the UserId, Password, and AuthenticationString properties will result in properly constructed credentials for the desired authentication mechanism.
The table below shows how the UserId, Password and AuthenticationString values should be specified based on the selected authentication mechanism:
Authentication Mechanism | UserId contains: | Password contains: | AuthenticationString should contain: | Notes |
---|---|---|---|---|
SPNEGO | name | password | empty | The default realm is assumed. |
SPNEGO | name@realm | password | empty | The application should separate the components with a '@'. Any special characters in the name or realm must conform to the syntax rules described above. |
LDAP | authcid | password | empty or profile=profile user=tduser |
The profile= and user= components are optional. |
LDAP | authcid | empty | password=password profile=profile user=tduser |
The profile= and user= components are optional. |
JWT | empty | empty | token=JWT |
The following examples show how the .NET Data Provider for Teradata constructs the authentication credentials:
UserId | Password | AuthenticationString | Credentials Generated by the .NET Data Provider for Teradata |
---|---|---|---|
TestUser | pass1 | empty | "TestUser@@pass1" |
TestUser@CORP | pass2 | empty | "TestUser@CORP@@pass2" |
Test\@User@CORP | pass3 | empty | "Test\@User@CORP@@pass3" |
LdapUser | ldappass1 | empty | "LdapUser@@ldappass1" |
LdapUser | ldappass2 | profile=manager | "LdapUser@@ldappass2" profile=manager |
LdapUser | ldap"p/\as@s'3 | user=tduser | "LdapUser@@ldap""p\/\\as\@s'3" user=tduser |