17.10 - Example: Bad Canonicalization with Identity Mapping - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update

This example illustrates an identity mapping object that transforms a user name of the form user@realmto an appropriate FQDN. The content of the dsMatching-pattern specifies that the user name obtained from the -u option be transformed to an FQDN. The user name is then matched against the expression contained in the dsMatching-regexp attribute. Substitutions are made in the substitution pattern contained in the dsMapped attribute. Then if you run the user name diperm01@testing through this identity mapping rule, the FQDN is uid=diperm01, ou=people, ou=testing, dc=elsegundo, dc=teradata, dc=com.

Before you design or change identity mappings, you should consult the directory and security administrators, since these objects represent closely guarded configuration information that could adversely affect other directory users and potentially compromise directory security.

For further information on identity mappings, please consult the Directory Server Administration Guide for the Sun Java System Directory Server. This guide can be found on the following website: http://download.oracle.com.

dn: cn=test mapping,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass: top
objectClass: nsContainer
objectClass: dsIdentityMapping
objectClass: dsPatternMatching
cn: test mapping
dsMatching-pattern: ${Principal}
dsMappedDN: uid=$1,ou=people,ou=$2,dc=elsegundoca,dc=teradata,dc=com
dsMatching-regexp: ([ˆ:]*)@(.*)
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.