Internal user warning returned when using an Access Control List (ACL) with Cross Datacenter Replication (XDR) non-compatible Aerospike Server versions sending both internal and external authentication mode
When using an Access Control List (ACL) and running Cross Datacenter Replication (XDR) on a cluster installed with Aerospike Enterprise Edition Server versions 126.96.36.199 to 188.8.131.52 shipping to an Aerospike Enterprise Edition Server version 4.6 or newer, the following warning is returned in the aerospike.log:
Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap
This warning occurs when authentication fails when a user attempts login with a password being sent as encryted ‘external’ (clear password encrypted) but the password is expected as hashed ‘internal’.
In XDR the Aerospike C Client is incorporated as the shipping client. For Aerospike Enterprise Edition Server versions 184.108.40.206 to 220.127.116.11 the XDR code utilized the Aerospike C Client 4.3.6. When using Aerospike Enterprise Edition Server 4.6 or newer with Aerospike Client versions, such as the Aerospike C Client 4.3.6, the ‘internal user…’ warning is returned in the aerospike.log and authentication would fail.
The Aerospike C Client 4.3.6 originally introduced external authentication for LDAP only. At that point, there was no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed ‘internal’ and as encrypted ‘external’ (clear password encrypted).
With Aerospike Server version 4.6, the following change
[AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password caused XDR having the older Aerospike C Client 4.3.6 library incorporated to fail authentication.
With this failure the incompatible Aerospike Enterprise Edition Server versions 18.104.22.168 to 22.214.171.124 cannot ship to Aerospike Enterprise Edition Server versions 4.6 or newer.
The simplest workaround is to avoid using those incompatible Aerospike Enterprise Edition Server versions 126.96.36.199 to 188.8.131.52.
Upgrade the cluster to the listed minimum required Aeropsike Enterprise Edition Server Client version 184.108.40.206 or newer.
- Server downloads
- Related knowledge base article: Aerospike Client versions sending both authentication mode.
SECURITY INTERNAL EXTERNAL AUTHMODE AUTHENTICATION XDR ACL