16.10 - About Directory User Identification - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

When the directory authenticates a database user, TDGSS searches for user information in the directory based on the directory username specified in the logon. Directories use distinguished names (DNs) to uniquely name each directory user object, for example:

cn=ab111222,ou=northamerica,ou=useraccounts,dc=div,dc=corp,dc=com

However, requiring users to enter the entire DN can result in logon errors. In addition, the database may be able to log only part of the DN, due to object name length limitations.

To avoid having to enter the entire DN, it is common practice to allow users to specify the simple form of the username in a logon string, for example:

ab111222

The authentication process links the simple username to the DN in the directory.

Although it is generally good practice, allowing the use of simple usernames in the database logon string can present problems:

  • Some directories do not allow a simple username in the logon string and force users to enter the entire DN at logons.
  • Directories that do allow simple usernames may not efficiently bind them to the correct DNs.