The LdapClientSaslSecProps property specifies the security level for the token exchange.
When a directory user logs on to a Teradata Vantage system, and the SASL token exchange between the directory server and Vantage uses DIGEST-MD5 binding, an attacker could challenge the exchange and redirect it to send the token in clear text. You can set the LdapClientSaslSecProps property to provide extra protection for a DIGEST-MD5 token exchange.
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.
Default Property Value
The default value of the LdapClientSaslSecProps property is minssf=0, that is, the security level is compatible with all supported directory types and configurations, but it does not provide any extra protection.
Editing Guidelines
- To set a value, you must manually add this property to the TDGSS configuration file for the LDAP mechanism. See Editing Configuration Files.
- Edit this property on the database and on Unity, if used. Also see Coordinating Mechanism Property Values for Unity.
- If you set the property value to minssf=0, the setting avoids possible conflicts with directory types and configurations that cannot use a higher security level.
- You can set the property value to minssf=1, to cause the directory server to offer an authint or auth-conf QOP.
- Auth-int adds a message digest (signing) to messages between the database and directory.
- Auth-conf adds encryption and message digests (signing and sealing) to messages between the database and directory.
Integrity checking prevents man-in-the-middle attack, which could reset the QOP level and cause the password to be transmitted in clear text. A setting of minssf=1 is sufficient for most implementations.
- You can set the property value to encrypt the token exchange. A setting of:
- minssf=56 uses DES or other low-level ciphers
- minssf=112 uses triple DES and other strong ciphers
- minssf=128 uses of the strongest ciphers, for example, RC4.
If you specify a minssf value above 1, the directory must support the corresponding encryption level, and your setting cannot exceed the directory setting for the maxssf property.