Internal user warning returned when using an Access Control List (ACL) with Cross Datacenter Replication (XDR) non-compatible Aerospike Server versions sending both internal and external authentication mode

Angela

May 04, 2026 19:22

Problem Description

When using an Access Control List (ACL) and running Cross Datacenter Replication (XDR) on a cluster installed with Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 shipping to an Aerospike Enterprise Edition Server version 4.6 or newer, the following warning is returned in the aerospike.log:

Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap

Explanation

This warning occurs when Authentication fails when a user attempts login with a password being sent as encrypted 'external' (clear password encrypted) but the password is expected as hashed 'internal'.

In XDR the Aerospike C Client is incorporated as the shipping client. For Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 the XDR code utilized the Aerospike C Client 4.3.6. When using Aerospike Enterprise Edition Server 4.6 or newer with Aerospike Client versions, such as the Aerospike C Client 4.3.6, the 'internal user...' warning is returned in the aerospike.log and authentication would fail.

The Aerospike C Client 4.3.6 originally introduced External authentication with LDAP At that point, there was no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed 'internal' and as encrypted 'external' (clear password encrypted).

With Aerospike Server version 4.6, the following change [AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password caused XDR having the older Aerospike C Client 4.3.6 library incorporated to fail authentication.

With this failure the incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 cannot ship to Aerospike Enterprise Edition Server versions 4.6 or newer.

Solution

The simplest workaround is to avoid using those incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6.

Upgrade the cluster to the listed minimum required Aeropsike Enterprise Edition Server version 4.3.0.7 or newer.

Notes

Server downloads are available at: https://aerospike.com/download/#servers
Client downloads are available at: https://aerospike.com/download/#clients

Applies To Earliest Version

Pre 4.9

Applies To Latest Version

Pre 4.9