17.10 - Example Identity Search - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update

In this example, users log on to Vantage using the NT-style logon td/ab111222.

<Mechanism Name="ldap">
      Base="ou=user accounts,dc=td,dc=teradata,dc=com"

The IdentitySearch element contains attributes that define the parameters of a directory search, and cause TDGSS to conduct the search for each directory user logon:

Attribute Name Attribute Value Description


"[Tt][Dd]\\(.+)" A regular Posix expression that matches the username (authcid).


"ou=user accounts,dc=td,dc=teradata,dc=com" A pattern into which the search substitutes substrings from the Match attribute value and constructs the DN that it uses as the search base.


"subtree" A string that defines the search scope, from among these options:
  • "base" requests a search of the object named in the Base attribute.
  • "one level" requests a search of the children of the Base object.
  • "subtree" subtree requests a search of the entire subtree, starting with Base.


"(&(objectClass=user)(sAMAccountName=${1}))" A pattern into which the identity search substitutes substrings from the Match attribute value, and which the search uses for the search filter, as defined in IETF RFC 2254.


"${result}" Defines how the system rewrites the username to bind to the directory.

The default, BindName="${result}" , maintains backward compatibility with older configurations.

You can change to default based on directory requirements. For example, when using DIGEST-MD5 binding with directory services that require the DIGEST-MD5 user name to be "dn:" followed by the user's DN (common to many services), you can specify BindName="dn:${result}" to prepend dn to the outcome of the Identity Search.
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.


"${1}" Defines how the system rewrites the username so that the database can identify the user in a particular form.

The value ${1} identifies the user in the database using only the uid portion of the logon, and drops the ${2}, ${3}, and ${4} portions of the username.

Search Results:

Based upon a Windows domain TD, the existence of users ab111222 and xy333444 in the directory, and the search base and scope specified in the previous example, the identity search generates the following searches and results.

Username Filter $(result)
td\ab111222 (&(objectClass=user) (sAMAccountName=ab111222)) CN=ab111222,OU=NorthAmerica,OU=User Accounts,DC=TD, DC=CORP,DC=COM
td\xy333444 (&(objectClass=user) (sAMAccountName=xy333444)) CN=xy333444,OU=NorthAmerica,OU=User Accounts,DC=TD, DC=CORP,DC=COM
td\user1234 (&(objectClass=user) (sAMAccountName=user1234)) The search returns no results, which indicates that the user does not exist in the directory.