16.10 - Sample Identity Map for Logging on with a UPN - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You can configure the LDAP mechanism to create an identity map for usernames that logon with a FQDN, such as user@dom1.dom2.dom3, for example:

<Mechanism Name="ldap">
    <MechanismProperties
        ...
        />
    <IdentityMap
      Match="([^@]+)@([^\.]+)\.([^\.]+)\.([^\.]+)"
      Pattern="uid=${1},ou=users,dc=${2},dc=${3},dc=${4}"/>
      DatabaseName="${1}"/>
</Mechanism>

where:

Attribute Name Example Attribute Value Description
Match (required) "([^@]+)@([^\.]+)\.([^\.]+)\.([^\.]+)" A Posix regular expression representing a matching rule that shows how the username is divided into sub-strings. The individual substrings are enclosed by ( ).
Pattern (required) "uid=${1},ou=users,dc=${2},dc=${3},dc=${4}" The substitution rule that determines how the map extrapolates a DN from the username substrings defined in the Match attribute.
DatabaseName (optional) "${1}" Defines how the system rewrites the username so that the database can identify the user in a particular form.

The value ${1} identifies the user in the database using only the uid portion of the logon, and drops the ${2}, ${3}, and ${4} portions of the username.

The identity map does not require a service bind.