LDAP authentication - lockout and expiry

Connectivity
Junior Supporter

LDAP authentication - lockout and expiry

Hi,

I have few questions wrt LDAP. We use LDAP tp login to sql assist which is our windows id.

1. If there is more than 3 times of wrong password attempt using ldap on sql assistant, does it lock the id on ldap/windows ? The number of attempts for lock out is controlled at LDAP/TD level ?

2. The LDAP passord expiry is controlled at LDAP level and nothing to take with TD on the profile level ?

Please let me know if there is any link to manuls that disuss more on this.

Thanks !

Samir Singh

Tags (1)
2 REPLIES
Enthusiast

Re: LDAP authentication - lockout and expiry

1. I'm not sure if it is always the same, but in my environment, lockouts are controlled only through LDAP when connecting specifying LDAP as the authentication. Teradata won't even log a failed logon in DBC.LogOnOff for ldap attempts.

2. Yeah, the password expiry set in the profile is only for "local" (TD2) authentication. All of our profiles immediately expire passwords and we logon with ldap.

Enthusiast

Re: LDAP authentication - lockout and expiry

LDAP logon failues are recorded only in /var/log/messages of the node which handled the logon request. They are not logged in DBC.LogOnOff. We have a pending enhancement request for this feature. Below are the messages logged in /va/log/messages for each logon failure. Based on the data value (returned by LDAP server to the ldap_bind_s request) you can determine the reason of the failure. I have posted the the value-description table in the bottom. In this case data value 52e means invalid credentials.

Regarding the lockout and expiry: This setting is controlled by the LDAP server. Directory admins would control it. All authentication attempts will fail with the particualr direcotry (after the user is locked).

Mar 30 07:40:16 <nodeid> gtwgateway[6051]: ldap_bind_s: server ldap://<ldap server>:389, authcid CN=<user name>,OU=,OU=,OU=,DC=us,DC=,DC=,DC=com, error 49 (Invalid credentials), info 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

Mar 30 07:40:16 <nodeid> gtwgateway[6051]: ldap_bind_s: server ldap://<ldap server>:389, authcid <username>, error 49 (Invalid credentials), info 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

Mar 30 07:40:16 <nodeid> Teradata[6051]: INFO: Teradata: 8073 #Event number 34-08073-00 (severity 0, category 13), occurred on Wed Mar 30 07:40:16 2016 at 001-10 (Vproc 22528, partition 10, task 8075) in system <tdpid> in Module gtwgateway, version PDE:14.10.06.04a,TDBMS:14.10.06.04,PDEGPL:14.10.06.04a,TGTW:14.10.06.01,TCHN:14.10.07.01,TDGSS:14.10.06.03

Mar 30 07:40:16 nodeid Teradata[6051]: Logon Authentication Failed

Mar 30 07:40:16 nodeid Teradata[6051]: Session: 23827897 Remote IP Address: <clientip>:52954 Logmech: ldap MajorStatus: d0000

Mar 30 07:40:16 nodeid Teradata[6051]:MajorText: Failure MinorStatus: e3000215 MinorText: An LDAP failure has occurred.

Data 525

user not found

Data 52e

invalid credentials

Data 530

not permitted to logon at this time

Data 531

not permitted to logon at this workstation

Data 532

password expired

Data 533

Data 534

account disabled 

The user has not been granted the requested logon type at this machine

Data 701

account expired

Data 773

user must reset password

Data 775

user account locked