17.20 - Example Identity Search - Analytics Database

17.20 - Example Identity Search - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

Language

English (United States)

Last Update

2023-03-07

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

In this example, users log on to Vantage using the NT-style logon td/ab111222.

</Mechanism>
<Mechanism Name="ldap">
    <MechanismProperties
        ...
        />
    <IdentitySearch
      Match="[Tt][Dd]\\(.+)"
      Base="ou=user accounts,dc=td,dc=teradata,dc=com"
      Scope="subtree"
      Filter="(&(objectClass=user)(sAMAccountName=${1}))"/>
      BindName="${result}"
      DatabaseName="${1}"/>
</Mechanism>

The IdentitySearch element contains attributes that define the parameters of a directory search, and cause TDGSS to conduct the search for each directory user logon:

Attribute Name	Attribute Value	Description
Match	"[Tt][Dd]\\(.+)"	[Required] Uses a regular Posix expression that matches the username (authcid).
Base	"ou=user accounts,dc=td,dc=teradata,dc=com"	[Required] Specifies the pattern into which the search substitutes substrings from the Match attribute value and constructs the DN that it uses as the search base.
Scope	"subtree"	[Required] Specifies a string that defines the search scope, from among these options: "base" requests a search of the object named in the Base attribute. "one level" requests a search of the children of the Base object. "subtree" requests a search of the entire subtree, starting with Base.
Filter	"(&(objectClass=user)(sAMAccountName=${1}))"	[Required] Specifies the pattern into which the identity search substitutes substrings from the Match attribute value, and which the search uses for the search filter, as defined in IETF RFC 2254.
BindName	"${result}"	[Optional] Defines how the system rewrites the username to bind to the directory. The default, BindName="${result}", maintains backward compatibility with earlier configurations. You can change to default based on directory requirements.
DatabaseName (optional)	"${1}"	[Optional] Defines how the system rewrites the username so that the database can identify the user in a particular form. The value ${1} identifies the user in the database using only the uid portion of the logon, and drops the ${2}, ${3}, and ${4} portions of the username.

Search Results:

Based upon a Windows domain TD, the existence of users ab111222 and xy333444 in the directory, and the search base and scope specified in the previous example, the identity search generates the following searches and results.

Username	Filter	$(result)
td\ab111222	(&(objectClass=user) (sAMAccountName=ab111222))	CN=ab111222,OU=NorthAmerica,OU=User Accounts,DC=TD, DC=CORP,DC=COM
td\xy333444	(&(objectClass=user) (sAMAccountName=xy333444))	CN=xy333444,OU=NorthAmerica,OU=User Accounts,DC=TD, DC=CORP,DC=COM
td\user1234	(&(objectClass=user) (sAMAccountName=user1234))	The search returns no results, which indicates that the user does not exist in the directory.