On Wed, 2010-10-13 at 10:53 +0200, Martin Spuetz wrote:
i have a setup with two director servers pointing to two backends. I don't care that much for load balancing, my main goal is high availability.
CRAM-MD5 auth is working fine if I connect directly to the backends, but the director only supports AUTH=PLAIN because of the static passdb.
Yeah. The problem is that with CRAM-MD5 the username can't be known until the authentication is started. But the authentication can't be started until the backend server is known, which of course can't be known until username is known..
So the only way to make CRAM-MD5 work with proxying is to have client authenticate with CRAM-MD5 against the proxy. The proxy then does a separate authentication against the backend server (e.g. using a master proxy password that allows authenticating against anyone).
Or if you only care about HA, maybe you shouldn't use director at all and just have active/passive pair of servers.