Explanation of LDAP Logon Format Examples - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™
Syntax Element Description
.logmech ldap Specifies the authentication mechanism. Required unless LDAP is set as the default mechanism.

LDAP is the only mechanism that supports directory authentication.

user_credentials Specifies the directory username and password, using a format that is valid for the specifying statement.
You can specify user credentials in either the .logdata or .logon statement, except when you specify an authorization qualifier, which requires you to use the .logdata statement.
Valid credential formats for the .logdata statement:
  • authcid= diruser password= dirpassword
  • diruser @@dirpassword
  • diruser password= dirpassword
Valid credential formats for the .logon statement:
  • diruser,dirpassword
If the directory service is Active Directory, or when an identity map or identity search is configured, you can also specify:

Ensuring Correct Interpretation of UPNs

For the logon diruser,dirpassword, if the user specification is “a@b” or a/b” or “a\b”, set LdapCredentialIsUPN to interpret the user specification. See LdapCredentialIsUPN.
  • If the LdapCredentialIsUPN property is absent or set to yes (the default), the system treats the user specification as a UPN, which must conform to the rules of IETF 1964.
    When LdapCredentialIsUPN is set to yes, the UPN must appear in the logon as: “a\@b” or “a\/b” or “a\\b”, where the added backslash (\) character shows the system how to handle the following character.
  • If the CredentialIsUPN property is set to no, the system disregards the special characters and considers the user specification to be an Authcid.
authorization_qualifier Specifies authorization parameters. Required when:
  • The directory user is mapped to multiple user or profile objects
  • LDAP is set to use SASL/DIGEST-MD5 binding (the default), the directory offers more than one realm, and the value of the LdapServerRealm property is set to "" (the default).
    The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.

Directory user mapped to multiple database users:

If the directory user is mapped to more than one database user, specify one of the users in the form user=database_username.

Directory user mapped to multiple profiles:
  • If a directory user is mapped to more than one profile, specify profile=profile_name in the .logdata statement to identify the session profile.
  • If the directory user is mapped to one or more database users, and also to a profile, the session defers to the separately mapped profile rather than the profile for the mapped database user.

Directory offers multiple realms:

Specify the realm as it appears in the directory, normally the fully qualified DNS name of the directory, for example:

realm=directory_FQDNSName

The system processes realm information as follows:
  • If the logon does not specify a realm, and the LdapServerRealm property value does not yield a valid realm, the logon fails.
  • If the directory does not offer a realm contained in the .logdata statement, the logon fails.
  • If the .logdata statement specifies a realm when it is needed, the logon succeeds if it is a valid realm specification.
tdpid Required. The tdpid identifies the Teradata Vantage system, Unity server, or host group to which the logon, if successful, connects.
, , If the logon specifies an account, and the directory username and directory password appear in the .logdata statement, the , , must precede the account specification, with these exceptions:
  • If the user credentials appear in the .logon statement, only a single comma is required.
  • If the .logon does not specify an account, no commas are required.
"account" Optional. The account string must be enclosed in double quotation marks. For information on accounts, see Teradata Vantage™ - Database Administration, B093-1093.