Bug 1342609 - At startup DES to AES password conversion causes timeout in start script
Summary: At startup DES to AES password conversion causes timeout in start script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
Petr Bokoc
URL:
Whiteboard:
Depends On:
Blocks: 1344293 1346420
TreeView+ depends on / blocked
 
Reported: 2016-06-03 16:19 UTC by mreynolds
Modified: 2016-11-03 20:42 UTC (History)
5 users (show)

Fixed In Version: 389-ds-base-1.3.5.5-1.el7
Doc Type: Bug Fix
Doc Text:
*DES* to *AES* password conversion must now be done manually on suffixes other than `cn=config` When Directory Server starts, all present passwords which are encrypted by the Data Encryption Standard (DES) algorithm are automatically converted to use the more secure Advanced Encryption Standard (AES) algorithm. *DES*-encrypted passwords were previously detected using an internal unindexed search, which was too slow for very large user databases, and in some cases caused the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix `cn=config` is checked for *DES* passwords, and a new "slapi" task "des2aes" is now available, which administrators can run after starting the server to convert passwords to *AES* on a specific database if needed. As a result, the server starts up regardless of the size of user databases.
Clone Of:
: 1344293 1346420 (view as bug list)
Environment:
Last Closed: 2016-11-03 20:42:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2594 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 12:11:08 UTC

Description mreynolds 2016-06-03 16:19:10 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48862

When the server is started, and the DES plugin is enabled, it searches all the backends for DES passwords to convert to AES.  This search is typically unindexed, and on large databases/backends this takes a long time and the start script time's out.

We need to come up with a better way to handle this.  Perhaps only run it on cn=config when starting the server?  And/or add a new task to convert DES passwords to AES for specific backends(filter/scope)?

Comment 1 mreynolds 2016-06-07 18:46:19 UTC
Fixed upstream.

Design doc updated to reflect new behavior and the new slapi task (des2aes).

http://www.port389.org/docs/389ds/design/pbe.html

Comment 10 Viktor Ashirov 2016-06-28 09:14:47 UTC
Build tested:
389-ds-base-1.3.5.8-1.el7.x86_64

ticket47462_test.py::test_ticket47462 PASSED

Also I tested scenario with the large database (500k entries).
[1] Disable AES plugin
[2] Add description as nsslapd-pluginarg2 for DES plugin
[3] Create 500k entries with description
[4] Restart the server

On older version server failed to start after 10 minutes.
Last message in errors log:
[28/Jun/2016:05:11:23.311266877 -0400] - convert_pbe_des_to_aes:  Checking for DES passwords to convert to AES...

After upgrading to build 389-ds-base-1.3.5.8-1.el7.x86_64 server started up immediately. To convert DES passwords I started des2aes task:
[28/Jun/2016:05:30:48.929675648 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
...
[28/Jun/2016:05:54:23.400382680 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)

Marking as VERIFIED.

Comment 12 errata-xmlrpc 2016-11-03 20:42:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html


Note You need to log in before you can comment on or make changes to this bug.