TDGSS LdapClientSASLSecProps Property | Teradata Vantage - 17.10 - LdapClientSASLSecProps - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update

The LdapClientSaslSecProps property specifies the security level for the token exchange.

When a directory user logs on to a Teradata Vantage system, and the SASL token exchange between the directory server and Vantage uses DIGEST-MD5 binding, an attacker could challenge the exchange and redirect it to send the token in clear text. You can set the LdapClientSaslSecProps property to provide extra protection for a DIGEST-MD5 token exchange.
The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.

Default Property Value

The default value of the LdapClientSaslSecProps property is minssf=0, that is, the security level is compatible with all supported directory types and configurations, but it does not provide any extra protection.

Editing Guidelines

  • To set a value, you must manually add this property to the TDGSS configuration file for the LDAP mechanism. See Editing Configuration Files.
  • Edit this property on the database and on Unity, if used. Also see Coordinating Mechanism Property Values for Unity.
  • If you set the property value to minssf=0, the setting avoids possible conflicts with directory types and configurations that cannot use a higher security level.
  • You can set the property value to minssf=1, to cause the directory server to offer an authint or auth-conf QOP.
    • Auth-int adds a message digest (signing) to messages between the database and directory.
    • Auth-conf adds encryption and message digests (signing and sealing) to messages between the database and directory.

    Integrity checking prevents man-in-the-middle attack, which could reset the QOP level and cause the password to be transmitted in clear text. A setting of minssf=1 is sufficient for most implementations.

  • You can set the property value to encrypt the token exchange. A setting of:
    • minssf=56 uses DES or other low-level ciphers
    • minssf=112 uses triple DES and other strong ciphers
    • minssf=128 uses of the strongest ciphers, for example, RC4.
    If you specify a minssf value above 1, the directory must support the corresponding encryption level, and your setting cannot exceed the directory setting for the maxssf property.