How can I use LDAP authentication?

[Esfahan]

I want LDAP authentication to connect to Teradata with giraffez.

Is such a functionality available with giraffez?
What parameters should be specified to use LDAP with giraffez config --set command?

Thank you

[pfiluste]

I am facing to the same problem as Esfahan above….

[ChrisRx]

What is the expected behavior here? You are able to use giraffez config --set to set your current LDAP credentials so I'm presuming that you are asking for different functionality?

[Esfahan]

@ChrisRx
Thanks for the reply.

Which keyname should I set? or How to set LDAP credentials?
I tried followings but I couldn't.

giraffez config --set connections.default mydb1 LOGMECH=LDAP
giraffez config --set connections.default mydb1 logmech=LDAP
giraffez config --set connections.default mydb1 LOGONMECH=LDAP
giraffez config --set connections.default mydb1 logonmech=LDAP
giraffez config --set connections.default mydb1 LOGON_MECH=LDAP
giraffez config --set connections.default mydb1 logon_mech=LDAP

And I can't find it in documnet written about LDAP, LOGMECH, LOGON_MECH.
https://capitalone.github.io/giraffez/search.html?q=LDAP&check_keywords=yes&area=default#

[ChrisRx]

Oh ok I think I understand now, my apologies. You are needing support for a different logon mechanism. Currently, giraffez only supports the TD2 logon mechanism (Teradata's default), but I believe LDAP in particular could be added fairly easy. The biggest hurdle here is that I don't have a good way (that I know of) to test the change since I do not have access to a Teradata environment that is setup with LDAP integration. A possibility could be that I make the change in a branch and one of you would be able to validate if it works or not by compiling that particular branch and testing. Thoughts?

[pfiluste]

Hello ChrisRx,

Thank you for your answer.
Thanks to Esfahan for his excellent example. It is, what we really need.

BTW: I can see there an ambiguity. The manual for TPT mentioned 'LogonMech' but for different clients is used 'logmech' for example: "jdbc:teradata://tdtest.kb.cz/logmech=LDAP,database=MyDatabaseName,tmode=TERA,charset=UTF16"

I think I can help you to test yours improvements. I am not sure if I am able to compile (C - source code) but I can try it (after 30year) :-).

Best regards
Patrik

[Esfahan]

I have an access to Teradata environment, so I can help you to test your improvements too.

And I'm not sure if I am able to compile C, but I can try it too :-)

Thanks

[ChrisRx]

What platforms are you both on? Installing from source should be fairly straight forward depending on what your platform is (Windows, Linux, etc), and would be similar to the instructions found here but what checking out a test branch before running the install. On Windows, it is a bit challenging because the Windows compiler is gated by obscurity, bloated applications, and/or expensive software (vs. Linux/macOS where it is freely available). For example, to support building wheels for Windows I had to save links to their old compilers that are no longer published on their download site (and are required for older versions of Python).

The reason I am unable to test this functionality myself is that the Teradata server I have access to uses TD2 as a logon mechanism and it appears to properly test a different logon mechanism like LDAP the Teradata server itself needs to be configured to use that mechanism. Regardless, I'm sure we can figure something out and get this feature supported, just let me know what platform you are on and I will push the local test branch I have.

[Esfahan]

Hello ChrisRx,

Thank you for your explanation.
My platform is CentOS 7.3.0.

Best regards

[GroovyDan]

Hey ChrisRx,

Any updates with getting getting this functionality tested and implemented? I was able to connect using TD2 as our system account uses this logon mechanism, but local accounts are restrained to using LDAP to authenticate. I am currently running windows 10.

[ChrisRx]

I'm going to try and work this stuff into a branch to try out. Ironically, I no longer have access to a Teradata server to develop or test things, and will have to figure something out in order to actually test this kind of functionality. I will still try and get this into a branch though so that others can potentially try it out in the meantime.

[GroovyDan]

Thanks Chris,
I'd be happy to test your changes. After looking through some Teradata documentation, I tried myself to get it working by editing the src/teradata.c file to hard-code LDAP as the log in mechanism like so to no avail:

snprintf(conn->dbc->logmech_name, sizeof(conn->dbc->logmech_name), "LDAP ");

Alas I am unfortunately not too familiar with C

[GroovyDan]

Turns out my change was working, I just didn't realize there was a separate Teradata API (Parellel Transporter) for the bulkload functionality. I add the following to _teradataptmodule.cc and it is now connecting through ldap using the Cmd or Bulkexport functions:

self->conn->AddAttribute(TD_LOGON_MECH, "LDAP ");

I guess the next step would be figuring out how to expose this to the front-end function through an optional parameter.

Daniel

[ChrisRx]

Daniel,

That is exactly what I believe needs to be added. I had started working up a feature addition on another branch and I feel it may finally be in a place where it could be considered to be merged. If you are able to take a look at it, let me know if you are able to connect with alternative connection mechanisms like LDAP. The way it works is setting logon_mech and then (if necessary) logon_mech_data in the giraffez config for the target connection should allow the usage of other auth mechanisms. Let me know if that ends up working for you!

[GroovyDan]

Hey Chris,

Sorry for the delayed response, I should be able to test your proposed changes. Which branch do I need to pull?

[GroovyDan]

I switched to the ext-cleanup branch to attempt to test the changes. When trying to run the setup.py to install, I received the following error:

error: command '[...]\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe' failed with exit status 2

Not sure if this is an issue on my side, but I can still compile from the source when on the master branch or my own branch. I am running Windows 10 with Python 2.7.15. I did notice you made some fixes for python 3.7, not sure if that would've impacted the windows/python2.7 install.

Daniel

[GroovyDan]

Good news,

I switched to python 3 and re-downloaded the Visual C++ and was able to compile the ext-cleanup branch. I tried switching the logon mech by running "giraffez config --set connections.mydb1.logon_mech LDAP" and getting the following error:

BADLOGMECH(507): Requested logon mechanism is not available.

Upon inspecting the teradata.c module, I believe you can change the following to get it to work:

snprintf(conn->dbc->logmech_name, sizeof(conn->dbc->logmech_name), "%-*s",
(int)(sizeof(conn->dbc->logmech_name)), logon_mech);

Since Teradata expects the logmech_name to be exactly 8 characters including spaces, you do not need to subtract the size of the logmech name and can instead just always pad to 8. This change appears to be working for both TD2 and LDAP

[william2632]

looking for LDAP connect.
'TD2' with maintaining account works.
but 'LDAP' with my account doesn't work. Still got 'Bad password' error.
I tried hardcode in teradata.c with below code, but same error.
snprintf(conn->dbc->logmech_name, sizeof(conn->dbc->logmech_name), "LDAP ");
I then downloaded 'ext-cleanup branch', compile and install succeed.

install log -- begin--
Installing giraffez-script.py script to C:\Python3\Scripts
Installing giraffez.exe script to C:\Python3\Scripts

Installed c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg
Processing dependencies for giraffez==2.1.0
Searching for pycrypto==2.6.1
Best match: pycrypto 2.6.1
Processing pycrypto-2.6.1-py3.7-win-amd64.egg
pycrypto 2.6.1 is already the active version in easy-install.pth

Using c:\python3\lib\site-packages\pycrypto-2.6.1-py3.7-win-amd64.egg
Searching for PyYAML==5.1.1
Best match: PyYAML 5.1.1
Adding PyYAML 5.1.1 to easy-install.pth file

Using c:\python3\lib\site-packages
Finished processing dependencies for giraffez==2.1.0
install log -- end--

but ran 'giraffez config --list' gave below error:

Traceback (most recent call last):
File "C:\Python3\Scripts\giraffez-script.py", line 11, in
load_entry_point('giraffez==2.1.0', 'console_scripts', 'giraffez')()
File "C:\Python3\Lib\site-packages\pkg_resources_init_.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "C:\Python3\Lib\site-packages\pkg_resources_init_.py", line 2843, in load_entry_point
return ep.load()
File "C:\Python3\Lib\site-packages\pkg_resources_init_.py", line 2434, in load
return self.resolve()
File "C:\Python3\Lib\site-packages\pkg_resources_init_.py", line 2440, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg\giraffez_init_.py", line 61, in
from .cmd import Cmd
File "c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg\giraffez\cmd.py", line 26, in
from .connection import Connection, Context
File "c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg\giraffez\connection.py", line 23, in
from .config import Config
File "c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg\giraffez\config.py", line 25, in
from .encrypt import Crypto
File "c:\python3\lib\site-packages\giraffez-2.1.0-py3.7-win-amd64.egg\giraffez\encrypt.py", line 22, in
from Crypto.Cipher import AES
File "c:\python3\lib\site-packages\pycrypto-2.6.1-py3.7-win-amd64.egg\Crypto\Cipher\AES.py", line 50, in
from Crypto.Cipher import _AES
ImportError: DLL load failed: The specified module could not be found.

I am using Python 3.7 on windows 7.

[william2632]

issue resolved, by changed 'pycrypto' to 'pycryptodome':
just change in requirements.txt.
recompile by 'python setup.py install'
'giraffez config' succeed.
but got same error as GroovyDan:
giraffez.TeradataError: 507: CLIv2[connect]: CLI2: BADLOGMECH(507): Requested logon mechanism is not available.

[william2632]

works now by modify teradata.c !!

modify
From:
snprintf(conn->dbc->logmech_name, sizeof(conn->dbc->logmech_name), "%-*s",(int)(sizeof(conn->dbc->logmech_name)-strlen(logon_mech)), logon_mech);
To:
snprintf(conn->dbc->logmech_name, sizeof(conn->dbc->logmech_name), "%-*s",(int)(sizeof(conn->dbc->logmech_name)), logon_mech);

giraffez config --list
connections:
xxxxxx_Hai:
host: xxxxxx.net
logon_mech: LDAP
password: ENCRYPTED:xxxxxx
username: xxxxxx
default: xxxxxx_Hai
giraffez cmd "select * from dbc.dbcinfo"
←[97m←[1mCommand: ←[0m←[0mExecuting ...
table_output => "False"
panic => "True"
query => "select * from dbc.dbcinfo"
multi-statement mode => "False"
←[92m←[1m--------------------------------←[0m←[0m
VERSION 14.10.07.10
RELEASE 14.10.07.09
LANGUAGE SUPPORT MODE Standard
←[92m←[1m--------------------------------←[0m←[0m

thank you all!

[Esfahan]

@ChrisRx
Has this issue fixed by the pull request below?
#75

If that's so, how to use it? Like this?

giraffez config --set connections.default mydb1 logon_mech=LDAP

[th0ma5w]

After messing with this a bunch, I got this to work, but I had to pad the logon_mech so that it was 8 characters long:

colorful: true
connections:
  default: db1
  db1:
    host: td.ncr.okay
    logon_mech: "LDAP    "
    password: lalalalala
    username: th0ma5w