Bug 1496224
Summary: | Export changelog db fails when the changelog encryption is configured | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sankar Ramalingam <sramling> |
Component: | 389-ds-base | Assignee: | mreynolds |
Status: | CLOSED NOTABUG | QA Contact: | Viktor Ashirov <vashirov> |
Severity: | urgent | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | lkrispen, nkinder, rmeggins |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-10-12 13:57:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sankar Ramalingam
2017-09-26 17:08:33 UTC
Additional details to reproduce the problem: Setup: 2 master replication setup Steps: 1. Stop the server instance and edit /etc/dirsrv/slapd-master1/dse.ldif file. 2. Add "nsslapd-encryptionalgorithm: AES" under cn=changelog5,cn=config entry. 3. Start the server instance. 4. Add user entry with password to master1 5. Check if unhashed#user#password attribute is encrypted by doing dbscan -f /usr/bin/dbscan -f /var/lib/dirsrv/slapd-master1/changelogdb/xyz.db You can see that the changelog entry for newly added user is encrypted. 6. Now, try to take the changelog db backup. [root@hp-dl80gen9-01 ~]# PORT=39001 ; ldapmodify -x -p $PORT -h localhost -D "cn=Directory Manager" -w password << EOF dn: cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config changetype: modify add: nsds5Task nsds5Task: CL2LDIF EOF 7. Changelog db backup fails and that can be observed from error logs. NSS packages present on the test machine. [root@hp-dl80gen9-01 ~]# rpm -qa |grep -i nss- nss-softokn-freebl-3.28.3-8.el7_4.x86_64 nss-softokn-3.28.3-8.el7_4.x86_64 nss-pem-1.0.3-4.el7.x86_64 python-nss-0.16.0-3.el7.x86_64 mod_nss-1.0.14-10.el7_4.1.x86_64 nss-util-3.28.4-3.el7.x86_64 nss-debuginfo-3.28.4-14.el7_4.x86_64 nss-sysinit-3.28.4-14.el7_4.x86_64 nss-tools-3.28.4-14.el7_4.x86_64 nss-3.28.4-14.el7_4.x86_64 do you already have entries in the changelog when you enable encryption ? you cannot have a mix of encrypted and clear entries in the changelog. (In reply to Ludwig from comment #3) > do you already have entries in the changelog when you enable encryption ? > > you cannot have a mix of encrypted and clear entries in the changelog. Yes, I have mix of encrypted and cleartext entries in changelog. It is present since, I used replication topology from lib389 - topology_m2. this does not work. if you enable encryption after having enries in the changelog you need to reinit the changelog. you could eitehr: - reimport the database via ldif - reinit the server from another server - try to -- export cl to ldif -- enable cl encryption -- reimport the cl |