16.10 - Example: Tdsbind Output for a Directory User not Mapped to a Database User - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017
1  C:> tdsbind -u drct01
2  Enter LDAP password:
3             LdapGroupBaseFQDN: ou=groups,dc=domain1,dc=com
4              LdapUserBaseFQDN:
5                LdapSystemFQDN: ou=system1,ou=tdat,dc=domain1,dc=com
6                LdapServerName: _ldap._tcp.domain1.com
7                LdapServerPort: 389
8              LdapClientUseTls: yes
9           LdapClientTlsCACert:  /opt/teradata/tdgss/site/certs/ server.pem
10         LdapClientTlsReqCert: demand
11          LdapClientMechanism: simple
12              LdapServiceFQDN: cn=dbssvc,ou=services,dc=domain1,dc=com
13 LdapServicePasswordProtected: yes
14          LdapServicePassword: configured
15      LdapServiceBindRequired: yes
15        LdapClientTlsCRLCheck: none
16 LdapAllowUnsafeServerConnect: yes
17                UseLdapConfig: yes
18       AuthorizationSupported: yes
20                         FQDN: uid=drct01,ou=principals,dc=domain1,dc=com
21         AuthUser: ldap://dsa1.domain1.com:389/uid=drct01,   ou=principals,dc=domain1,dc=com
22     DatabaseName: drct01
23          Service: domain1
24         Profiles: profile1
25            Roles: extrole01, extrole02, extrole03

The table explains the example:

Line Number Description
tdsbind Input
1 C:> tdsbind -u drct01 Requests that LDAP authenticate directory user drct01.
2 Enter LDAP password The example does not specify the -w option (user password) so tdsbind prompts for a password. The user running the command enters the password, and then presses the Enter key.
tdsbind Output
Where a line of output is the value of an LDAP property, tdsbind uses the currently configured value for the corresponding property. If the tdsbind command uses a variable that corresponds to an LDAP property (for example, -B, -S, and -h, or a -O list), the command line value overrides the configured value.
3 LdapGroupBaseFQDN: ou=groups,dc=domain1,dc=com The FQDN of the group object when directory groups are mapped to Teradata Database roles.
4 LdapUserBaseFQDN The FQDN of a directory object that contains user objects.
5 LdapSystemFQDN: ou=system,ou=Standard Systems,dc=domain1,dc=com The FQDN of the tdatSystem object that is the parent of the structure used for LDAP user authorization
6 LdapServerName: _ldap._tcp.domain1.com The name of the LDAP directory server.
7 LdapServerPort: 389 The tdsbind command sets the LDAP server port (-p) to the default. When the command contains a value, it override the default.
Separate specification of the LDAP server port is deprecated and should not be used. Instead, you can include the port designation as part of specifying the LDAPServerName value. See LdapServerName.
8 LdapClientUseTls: yes By default, tdsbind uses the value configured for the corresponding LDAPClientUseTls mechanism property. The yes value indicates that TLS is used to establish the connection to the directory server.
9 LdapClientTlsCACert:/opt/teradata/tdgss/site/certs/server.pem Identifies a file containing the directory server CA certificate.
10 LdapClientTlsReqCert: demand Specifies what checks the system performs on directory server certificates (if any), in a TLS-protected session.

Demand specifies that Teradata Database asks the directory server for a certificate. If it does not provide a certificate, or if it provides an invalid certificate, the connection terminates.

11 LdapClientMechanism: simple The LDAP binding style enabled on the system.
12 LdapServiceFQDN: cn=dbssvc,ou=services,dc=domain1,dc=com The DN of a bindable object in the directory, which represents the service or application that requires binding.
13 LdapServicePasswordProtected: yes Indicates whether the password for the service bind was stored in encrypted form during configuration.
14 LdapServicePassword: configured The password for the service bind, if required
15 LdapServiceBindRequired: yes Indicates whether LDAP requires the service, that is Teradata Database, must authenticate itself to the directory
16 LdapClientTlsCRLCheck: none Indicates how the authentication mechanism should use the Certificate Revocation List (CRL) of the CA to verify that the server certificates are not revoked.

None specifies that no checks are performed.

17 LdapAllowUnsafeServerConnect: yes Indicates whether Teradata Database is allowed to operate with a directory server running software that does not support IETF RFC 5746-compliant connections.
18 UseLdapConfig: yes Indicates whether TDGSS uses mechanism properties configured in the alternate <LdapConfig> section rather than the base mechanism property values.
19 AuthorizationSupported: yes Determines whether the LDAP user is authorized database privileges in the directory.
20 Not applicable
21 FQDN: uid=drct01,ou=principals,dc=domain1,dc=com The directory user FQDN.

If the bind operation is successful, the output displays the FQDN.

If the bind operation was unsuccessful, an error message appears at this point and tdsbind exits

22 AuthUser: ldap://dsa1.domain1.com:389/uid=dirUser1,ou=principals,dc=domain1,dc=com The directory user global unique identifier (GUID), if the directory supports GUIDs
23 DatabaseName: dirUser1 The AuditTrailId for the directory user. The name of the user after rewriting it based on the configuration in the <Canonicalization> section of the <LdapConfig>.
24 Service: local The name of the service that authenticated the user. This field is blank if the mechanism authorizes the user.
25 Profiles: profxu1 The value for this attribute appears only if the directory user is mapped to one or more profiles.
26 Roles: extrole01xu1, extrole02xu1, extrole03xu1 The value for this attribute appears only if the group that contains the directory user is mapped to one or more roles.
27 Users: perm01 The database user object to which the directory principal is mapped.