17.10 - Example: Detecting Bad Canonicalization - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

This example demonstrates an error that occurs when the directory server fails to translate the user name specified in the -u option to a fully qualified distinguished name (FQDN). In the directory is an object located by the FQDN, cn=DIGEST-MD5, cn=identity mapping, cn=config. The children of this object contain configuration information that assists the directory server in transforming the user name into an FQDN. In order to view the identity mappings, you must search the directory as the directory administrator.

The identity mappings found in the directory take one of two forms. The most efficient form is the one that uses pattern matching and substitutions. The other form executes a directory search based on the form of the user name.

$ ldapsearch -U diperm01@testing -H ldap://esroot -b "" -s base -W -Y DIGEST-MD5 -Z
Enter LDAP password:
Invalid credentials
additional info: SASL(-1): generic failure: unable canonify user
and get auxprops
$
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.