This bug is created as a clone of upstream ticket:
When the server is started, and the DES plugin is enabled, it searches all the backends for DES passwords to convert to AES. This search is typically unindexed, and on large databases/backends this takes a long time and the start script time's out.
We need to come up with a better way to handle this. Perhaps only run it on cn=config when starting the server? And/or add a new task to convert DES passwords to AES for specific backends(filter/scope)?
Design doc updated to reflect new behavior and the new slapi task (des2aes).
Also I tested scenario with the large database (500k entries).
 Disable AES plugin
 Add description as nsslapd-pluginarg2 for DES plugin
 Create 500k entries with description
 Restart the server
On older version server failed to start after 10 minutes.
Last message in errors log:
[28/Jun/2016:05:11:23.311266877 -0400] - convert_pbe_des_to_aes: Checking for DES passwords to convert to AES...
After upgrading to build 389-ds-base-220.127.116.11-1.el7.x86_64 server started up immediately. To convert DES passwords I started des2aes task:
[28/Jun/2016:05:30:48.929675648 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
[28/Jun/2016:05:54:23.400382680 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)
Marking as VERIFIED.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.