RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1342609 - At startup DES to AES password conversion causes timeout in start script
Summary: At startup DES to AES password conversion causes timeout in start script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks: 1344293 1346420
TreeView+ depends on / blocked
 
Reported: 2016-06-03 16:19 UTC by mreynolds
Modified: 2020-09-13 21:44 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.5.5-1.el7
Doc Type: Bug Fix
Doc Text:
*DES* to *AES* password conversion must now be done manually on suffixes other than `cn=config` When Directory Server starts, all present passwords which are encrypted by the Data Encryption Standard (DES) algorithm are automatically converted to use the more secure Advanced Encryption Standard (AES) algorithm. *DES*-encrypted passwords were previously detected using an internal unindexed search, which was too slow for very large user databases, and in some cases caused the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix `cn=config` is checked for *DES* passwords, and a new "slapi" task "des2aes" is now available, which administrators can run after starting the server to convert passwords to *AES* on a specific database if needed. As a result, the server starts up regardless of the size of user databases.
Clone Of:
: 1344293 1346420 (view as bug list)
Environment:
Last Closed: 2016-11-03 20:42:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1922 0 None None None 2020-09-13 21:44:58 UTC
Red Hat Product Errata RHSA-2016:2594 0 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC

Description mreynolds 2016-06-03 16:19:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48862

When the server is started, and the DES plugin is enabled, it searches all the backends for DES passwords to convert to AES.  This search is typically unindexed, and on large databases/backends this takes a long time and the start script time's out.

We need to come up with a better way to handle this.  Perhaps only run it on cn=config when starting the server?  And/or add a new task to convert DES passwords to AES for specific backends(filter/scope)?
Comment 1 mreynolds 2016-06-07 18:46:19 UTC 
Fixed upstream.

Design doc updated to reflect new behavior and the new slapi task (des2aes).

http://www.port389.org/docs/389ds/design/pbe.html
Comment 10 Viktor Ashirov 2016-06-28 09:14:47 UTC 
Build tested:
389-ds-base-1.3.5.8-1.el7.x86_64

ticket47462_test.py::test_ticket47462 PASSED

Also I tested scenario with the large database (500k entries).
[1] Disable AES plugin
[2] Add description as nsslapd-pluginarg2 for DES plugin
[3] Create 500k entries with description
[4] Restart the server

On older version server failed to start after 10 minutes.
Last message in errors log:
[28/Jun/2016:05:11:23.311266877 -0400] - convert_pbe_des_to_aes:  Checking for DES passwords to convert to AES...

After upgrading to build 389-ds-base-1.3.5.8-1.el7.x86_64 server started up immediately. To convert DES passwords I started des2aes task:
[28/Jun/2016:05:30:48.929675648 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
...
[28/Jun/2016:05:54:23.400382680 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)

Marking as VERIFIED.
Comment 12 errata-xmlrpc 2016-11-03 20:42:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html
Note You need to log in before you can comment on or make changes to this bug.