Bug 1342609

Summary: At startup DES to AES password conversion causes timeout in start script
Product: Red Hat Enterprise Linux 7 Reporter: mreynolds
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.3CC: ekeck, mkolaja, nkinder, pbokoc, rmeggins
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.5.5-1.el7 Doc Type: Bug Fix
Doc Text:
*DES* to *AES* password conversion must now be done manually on suffixes other than `cn=config` When Directory Server starts, all present passwords which are encrypted by the Data Encryption Standard (DES) algorithm are automatically converted to use the more secure Advanced Encryption Standard (AES) algorithm. *DES*-encrypted passwords were previously detected using an internal unindexed search, which was too slow for very large user databases, and in some cases caused the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix `cn=config` is checked for *DES* passwords, and a new "slapi" task "des2aes" is now available, which administrators can run after starting the server to convert passwords to *AES* on a specific database if needed. As a result, the server starts up regardless of the size of user databases.
 Story Points: ---
Clone Of:
: 1344293 1346420 (view as bug list) Environment:
Last Closed: 2016-11-03 20:42:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1344293, 1346420    

Description mreynolds 2016-06-03 16:19:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48862

When the server is started, and the DES plugin is enabled, it searches all the backends for DES passwords to convert to AES.  This search is typically unindexed, and on large databases/backends this takes a long time and the start script time's out.

We need to come up with a better way to handle this.  Perhaps only run it on cn=config when starting the server?  And/or add a new task to convert DES passwords to AES for specific backends(filter/scope)?
Comment 1 mreynolds 2016-06-07 18:46:19 UTC 
Fixed upstream.

Design doc updated to reflect new behavior and the new slapi task (des2aes).

http://www.port389.org/docs/389ds/design/pbe.html
Comment 10 Viktor Ashirov 2016-06-28 09:14:47 UTC 
Build tested:
389-ds-base-1.3.5.8-1.el7.x86_64

ticket47462_test.py::test_ticket47462 PASSED

Also I tested scenario with the large database (500k entries).
[1] Disable AES plugin
[2] Add description as nsslapd-pluginarg2 for DES plugin
[3] Create 500k entries with description
[4] Restart the server

On older version server failed to start after 10 minutes.
Last message in errors log:
[28/Jun/2016:05:11:23.311266877 -0400] - convert_pbe_des_to_aes:  Checking for DES passwords to convert to AES...

After upgrading to build 389-ds-base-1.3.5.8-1.el7.x86_64 server started up immediately. To convert DES passwords I started des2aes task:
[28/Jun/2016:05:30:48.929675648 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
...
[28/Jun/2016:05:54:23.400382680 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)

Marking as VERIFIED.
Comment 12 errata-xmlrpc 2016-11-03 20:42:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html