Detail
With Aerospike 4.1, the ability to use external authentication systems is supported. That release supports LDAP authentication. An updated client will send not only the hashed version of the password (in case the user is internal), but also the actual password, which will be sent to the external system. The external auth capabilities can be disabled on the client login call, which will not send the password but only the hashed password.Answer
An Aerospike client API allows the specification of a username and password from the application.
-
If the client detects a server with external authentication enabled, it will first determine whether it has a stored access token. If it has no access token, it sends the username, the bcrypt() version of the password, and the password. The inclusion of both systems allows transparent hybrid access.
-
The server will then check the local database, and if the user exists and has a bcrypt() version of the password set, the bcrypt() version of the password is checked. If the password check succeeds, an access token is generated by the server. If the bcrypt() password does not match, the authentication fails. If there is no bcrypt() version of the password, then authentication passes to the external phase.
-
The configured LDAP server is contacted, and a BIND login request is initiated. If configured, the username may be remapped or translated. Both a standard password and an SASL authentication will be supported, using OpenLDAP libraries.
-
If the LDAP login succeeds, the server generates an access token and passes it to the client.
-
The cluster then makes a request to the LDAP server using the appropriate wildcard query to determine the list of groups available for this user. Once this is done, the result is stored locally and distributed to other members of the cluster.
-
The client then opens each successive TCP connection using the access token, which is validated by verifying the timestamp and the HMAC. This is done on every TCP connection.
-
If the client needs a new TCP connection and the access token is no longer valid, the server will reject the access token and the client will request a new access token from the server through the same interaction as specified above.