17.10 - Bad Password - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.
The SASL (Simple Authentication and Security Layer) DIGEST-MD5 mechanism, used in LDAP authentication, works using a shared secret. The directory server stores this secret in a database. The LDAP client obtains this shared secret from the user. Under the boards, DIGEST-MD5 on the directory server issues a challenge to the LDAP client. The client builds a response based on data in the server challenge and the secret obtained from the user and sends that response back to the server. At no time does the password appear in the communications between the client and server. The server also generates a response based on its stored secret. If the client’s response to the server’s challenge does not match what the server generated as a proper response, this error occurs.

These examples demonstrate the error that occurs when the user is successfully mapped to an FQDN that references an existing object in the directory and the password stored in the directory does not match what the user specified.

To remedy, correct the password on the client or have the directory administrator change the password on the directory server and retry the failed command.