Internal user warning returned with non-compatible Aerospike Client versions sending both internal and external authentication mode
When using Aerospike Enterprise Edition Server 4.6 or newer with certain Aerospike Client versions, the following warning is returned in the aerospike.log.
Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap
When using Aerospike Enterprise Edition Server version 4.6 or newer with certain Aerospike Client versions an ‘internal user…’ warning would be returned in the aerospike.log and the authentication will fail.
The Aerospike Client originally introduced external authentication for LDAP only. At that point, there were no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed ‘internal’ and as encrypted ‘external’ (clear password encrypted).
With Aerospike Server version 4.6, the following change “[AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password.” caused those older client library to fail authentication.
Using one of the following Aerospike Client versions will cause this issue:
- 4.3.6, 4,3,7, 4.3.8, 4.3.9, 4.3.10
- 4.1.4, 4.1.5
- 3.6.1, 3.6.2
- 3.1.0, 3.1.1
Upgrade to the listed minimum required Aeropsike Client version:
- 4.3.11 Added support for authentication mode (as_config.auth.mode)
- 4.1.6 Added support for authentication mode (ClientPolicy.authMode)
- 3.6.3 Added support for authentication mode (ClientPolicy.authMode)
- 3.2.0 Added a config parameter for the client constructor (auth_mode)
Client version currently NOT impacted:
For the Go client library, it is recommended to use at least version 1.35.1 if authentication is used.
Client downloads are available at: https://www.aerospike.com/download/client/
SECURITY, INTERNAL, EXTERNAL, AUTHMODE, AUTHENTICATION, USER