Internal user warning returned with non-compatible Aerospike Client versions sending both internal and external authentication mode

Knowledge Base Client APIs
1

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

Internal user warning returned with non-compatible Aerospike Client versions sending both internal and external authentication mode

Problem Description

When using Aerospike Enterprise Edition Server 4.6 or newer with certain Aerospike Client versions, the following warning is returned in the aerospike.log.

Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap

Explanation

When using Aerospike Enterprise Edition Server version 4.6 or newer with certain Aerospike Client versions an ‘internal user…’ warning would be returned in the aerospike.log and the authentication will fail.

The Aerospike Client originally introduced external authentication for LDAP only. At that point, there were no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed ‘internal’ and as encrypted ‘external’ (clear password encrypted).

With Aerospike Server version 4.6, the following change “[AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password.” caused those older client library to fail authentication.

Using one of the following Aerospike Client versions will cause this issue:

  • C/C++

    • 4.3.6, 4,3,7, 4.3.8, 4.3.9, 4.3.10

  • Java

    • 4.1.4, 4.1.5

  • C#

    • 3.6.1, 3.6.2

  • Python

    • 3.1.0, 3.1.1

Upgrade to the listed minimum required Aeropsike Client version:

  • C/C++

    • 4.3.11 Added support for authentication mode (as_config.auth.mode)

  • Java

    • 4.1.6 Added support for authentication mode (ClientPolicy.authMode)

  • C#

    • 3.6.3 Added support for authentication mode (ClientPolicy.authMode)

  • Python

    • 3.2.0 Added a config parameter for the client constructor (auth_mode)

Client version currently NOT impacted:

  • Node.js
  • PHP
  • REST
  • Ruby
  • Rust

For the Go client library, it is recommended to use at least version 1.35.1 if authentication is used.

Notes

Client downloads are available at: Real-time Data Platform - Multi-model NoSQL | Aerospike

Keywords

SECURITY, INTERNAL, EXTERNAL, AUTHMODE, AUTHENTICATION, USER

Timestamp

October 2019