16.10 - LdapClientSASLSecProps - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

The LdapClientSaslSecProps property specifies the security level for the token exchange.

When a directory user logs on to a Teradata Database system, and the SASL token exchange between the directory server and Teradata Database uses DIGEST-MD5 binding, an attacker could challenge the exchange and redirect it to send the token in clear text. You can set the LdapClientSaslSecProps property to provide extra protection for a DIGEST-MD5 token exchange.

Default Property Value

The default value of the LdapClientSaslSecProps property is minssf=0, that is, the security level is compatible with all supported directory types and configurations, but it does not provide any extra protection.

Supporting Mechanisms for LdapClientSASLSecProps

Only the LDAP mechanism supports the LdapClientSaslSecProps property.

To set a value, you must manually add this property to the TdgssUserConfigFile.xml for the LDAP mechanism. See About Editing Configuration Files.

Editing Guidelines

  • Edit this property on the database and on Unity, if used. Also see Coordinating Mechanism Property Values for Unity.
  • If you set the property value to minssf=0, the setting avoids possible conflicts with directory types and configurations that cannot use a higher security level.
  • You can set the property value to minssf=1, to cause the directory server to offer an authint or auth-conf QOP.
    • Auth-int adds a message digest (signing) to messages between the database and directory.
    • Auth-conf adds encryption and message digests (signing and sealing) to messages between the database and directory.

    Integrity checking prevents man-in-the-middle attack, which could reset the QOP level and cause the password to be transmitted in clear text. A setting of minssf=1 is sufficient for most implementations.

  • You can set the property value to encrypt the token exchange. A setting of:
    • minssf=56 uses DES or other low-level ciphers
    • minssf=112 uses triple DES and other strong ciphers
    • minssf=128 uses of the strongest ciphers, for example, RC4.
    If you specify a minssf value above 1, the directory must support the corresponding encryption level, and your setting cannot exceed the directory setting for the maxssf property.