TDGSS LdapClientSASLSecProps Property | Teradata Vantage - 17.10 - LdapClientSASLSecProps - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The LdapClientSaslSecProps property specifies the security level for the token exchange.

When a directory user logs on to a Teradata Vantage system, and the SASL token exchange between the directory server and Vantage uses DIGEST-MD5 binding, an attacker could challenge the exchange and redirect it to send the token in clear text. You can set the LdapClientSaslSecProps property to provide extra protection for a DIGEST-MD5 token exchange.
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.

Default Property Value

The default value of the LdapClientSaslSecProps property is minssf=0, that is, the security level is compatible with all supported directory types and configurations, but it does not provide any extra protection.

Editing Guidelines

  • To set a value, you must manually add this property to the TDGSS configuration file for the LDAP mechanism. See About Editing Configuration Files.
  • Edit this property on the database and on Unity, if used. Also see Coordinating Mechanism Property Values for Unity.
  • If you set the property value to minssf=0, the setting avoids possible conflicts with directory types and configurations that cannot use a higher security level.
  • You can set the property value to minssf=1, to cause the directory server to offer an authint or auth-conf QOP.
    • Auth-int adds a message digest (signing) to messages between the database and directory.
    • Auth-conf adds encryption and message digests (signing and sealing) to messages between the database and directory.

    Integrity checking prevents man-in-the-middle attack, which could reset the QOP level and cause the password to be transmitted in clear text. A setting of minssf=1 is sufficient for most implementations.

  • You can set the property value to encrypt the token exchange. A setting of:
    • minssf=56 uses DES or other low-level ciphers
    • minssf=112 uses triple DES and other strong ciphers
    • minssf=128 uses of the strongest ciphers, for example, RC4.
    If you specify a minssf value above 1, the directory must support the corresponding encryption level, and your setting cannot exceed the directory setting for the maxssf property.