allowplaintext: no and aggregates

Dan White dwhite at
Fri Dec 6 14:53:04 EST 2013

On 12/06/13 14:04 -0500, sofkam wrote:
>We are running a murder aggregate:
>        Front-end db
>        Three front-end servers
>        One back end server
>Starting next year we are no longer permitting unencrypted connections
>(long time coming).  Our supported authentication mechanisms are:
>      sasl_mech_list: PLAIN LOGIN
>When I change allowplaintext to "no", will the back-end and front-end
>servers be able to communicate with each other?  Or, do I need
>to add an additional non-plain authentication mechanism?  Will the
>db-server require plain-text logins?

Enabling TLS should allow plaintext logins even where allowplaintext is set
to no. You could also enable sasldb or another auxprop plugin, use a shared
secret mechanism such as digest-md5, for your server to server
communications. However, if you enable a shared secret mechanism on a
frontend server, or a backend server (if you allow clients to connect
directly to one), you will likely see authentication failures from clients
attempting digest-md5 auth, unless those users exist within your auxprop

Dan White

More information about the Info-cyrus mailing list