16.10 - Example: Bad Canonicalization with Identity Mapping - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

This example illustrates an identity mapping object that transforms a user name of the form user@realmto an appropriate FQDN. The content of the dsMatching-pattern specifies that the user name obtained from the -u option be transformed to an FQDN. The user name is then matched against the expression contained in the dsMatching-regexp attribute. Substitutions are made in the substitution pattern contained in the dsMapped attribute. Then if you run the user name diperm01@testing through this identity mapping rule, the FQDN is uid=diperm01, ou=people, ou=testing, dc=elsegundo, dc=teradata, dc=com.

Before you design or change identity mappings, you should consult the directory and security administrators, since these objects represent closely guarded configuration information that could adversely affect other directory users and potentially compromise directory security.

For further information on identity mappings, please consult the Directory Server Administration Guide for the Sun Java System Directory Server. This guide can be found on the following website: http://download.oracle.com.

dn: cn=test mapping,cn=DIGEST-MD5,cn=identity mapping,cn=config
objectClass: top
objectClass: nsContainer
objectClass: dsIdentityMapping
objectClass: dsPatternMatching
cn: test mapping
dsMatching-pattern: ${Principal}
dsMappedDN: uid=$1,ou=people,ou=$2,dc=elsegundoca,dc=teradata,dc=com
dsMatching-regexp: ([ˆ:]*)@(.*)