Example: Detecting Bad Canonicalization - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Published
July 2021
Language
English (United States)
Last Update
2022-02-15
dita:mapPath
ppz1593203596223.ditamap
dita:ditavalPath
wrg1590696035526.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢

This example demonstrates an error that occurs when the directory server fails to translate the user name specified in the -u option to a fully qualified distinguished name (FQDN). In the directory is an object located by the FQDN, cn=DIGEST-MD5, cn=identity mapping, cn=config. The children of this object contain configuration information that assists the directory server in transforming the user name into an FQDN. In order to view the identity mappings, you must search the directory as the directory administrator.

The identity mappings found in the directory take one of two forms. The most efficient form is the one that uses pattern matching and substitutions. The other form executes a directory search based on the form of the user name.

$ ldapsearch -U diperm01@testing -H ldap://esroot -b "" -s base -W -Y DIGEST-MD5 -Z
Enter LDAP password:
Invalid credentials
additional info: SASL(-1): generic failure: unable canonify user
and get auxprops
$
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.