Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1342609 - At startup DES to AES password conversion causes timeout in start script
At startup DES to AES password conversion causes timeout in start script
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.3
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
Petr Bokoc
: ZStream
Depends On:
Blocks: 1344293 1346420
  Show dependency treegraph
 
Reported: 2016-06-03 12:19 EDT by mreynolds
Modified: 2016-11-03 16:42 EDT (History)
5 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.5.5-1.el7
Doc Type: Bug Fix
Doc Text:
*DES* to *AES* password conversion must now be done manually on suffixes other than `cn=config` When Directory Server starts, all present passwords which are encrypted by the Data Encryption Standard (DES) algorithm are automatically converted to use the more secure Advanced Encryption Standard (AES) algorithm. *DES*-encrypted passwords were previously detected using an internal unindexed search, which was too slow for very large user databases, and in some cases caused the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix `cn=config` is checked for *DES* passwords, and a new "slapi" task "des2aes" is now available, which administrators can run after starting the server to convert passwords to *AES* on a specific database if needed. As a result, the server starts up regardless of the size of user databases.
Story Points: ---
Clone Of:
: 1344293 1346420 (view as bug list)
Environment:
Last Closed: 2016-11-03 16:42:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2594 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2016-11-03 08:11:08 EDT

  None (edit)
Description mreynolds 2016-06-03 12:19:10 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/48862

When the server is started, and the DES plugin is enabled, it searches all the backends for DES passwords to convert to AES.  This search is typically unindexed, and on large databases/backends this takes a long time and the start script time's out.

We need to come up with a better way to handle this.  Perhaps only run it on cn=config when starting the server?  And/or add a new task to convert DES passwords to AES for specific backends(filter/scope)?
Comment 1 mreynolds 2016-06-07 14:46:19 EDT 
Fixed upstream.

Design doc updated to reflect new behavior and the new slapi task (des2aes).

http://www.port389.org/docs/389ds/design/pbe.html
Comment 10 Viktor Ashirov 2016-06-28 05:14:47 EDT 
Build tested:
389-ds-base-1.3.5.8-1.el7.x86_64

ticket47462_test.py::test_ticket47462 PASSED

Also I tested scenario with the large database (500k entries).
[1] Disable AES plugin
[2] Add description as nsslapd-pluginarg2 for DES plugin
[3] Create 500k entries with description
[4] Restart the server

On older version server failed to start after 10 minutes.
Last message in errors log:
[28/Jun/2016:05:11:23.311266877 -0400] - convert_pbe_des_to_aes:  Checking for DES passwords to convert to AES...

After upgrading to build 389-ds-base-1.3.5.8-1.el7.x86_64 server started up immediately. To convert DES passwords I started des2aes task:
[28/Jun/2016:05:30:48.929675648 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
...
[28/Jun/2016:05:54:23.400382680 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)

Marking as VERIFIED.
Comment 12 errata-xmlrpc 2016-11-03 16:42:19 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2594.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.