RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1344293 - At startup DES to AES password conversion causes timeout in start script
Summary: At startup DES to AES password conversion causes timeout in start script
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On: 1342609
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-09 10:55 UTC by Marcel Kolaja
Modified: 2020-09-13 21:45 UTC (History)
8 users (show)

Fixed In Version: 389-ds-base-1.3.4.0-32.el7_2
Doc Type: Bug Fix
Doc Text:
When 389 Directory Server starts, all present DES-encrypted passwords are automatically converted to AES. DES passwords were previously being detected using an internal unindexed search, which was too slow for very large user databases, and could potentially cause the startup process to time out and prevent Directory Server from starting. With this update, only the configuration suffix "cn=config" is being checked for DES passwords, and a new slapi task "des2aes" is now available which can be run after starting the server to convert DES passwords to AES on a specific database if needed. The server therefore starts up regardless of the database size.
Clone Of: 1342609
Environment:
Last Closed: 2016-06-23 16:23:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 1922 0 None None None 2020-09-13 21:45:04 UTC
Red Hat Product Errata RHBA-2016:1298 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2016-06-23 20:14:06 UTC

Description Marcel Kolaja 2016-06-09 10:55:49 UTC 
This bug has been copied from bug #1342609 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 5 Viktor Ashirov 2016-06-13 00:48:01 UTC 
Build tested:
389-ds-base-1.3.4.0-32.el7_2.x86_64

ticket47462_test.py::test_ticket47462 PASSED

Also I tested scenario with the large database (500k entries).
[1] Disable AES plugin
[2] Add description as nsslapd-pluginarg2 for DES plugin
[3] Create 500k entries with description
[4] Restart the server

On older version (389-ds-base-1.3.4.0-31.el7_2.x86_64) server failed to start after 10 minutes.
Last message in errors log:
[12/Jun/2016:20:03:51 -0400] - convert_pbe_des_to_aes:  Checking for DES passwords to convert to AES...

After upgrading to build -32 server started up immediately. To convert DES passwords I started des2aes task:
[12/Jun/2016:20:22:32 -0400] des2aes task - Successfully converted password for (uid=500000,ou=People,dc=example,dc=com)
...
[12/Jun/2016:20:46:38 -0400] des2aes task - Successfully converted password for (uid=00000,ou=People,dc=example,dc=com)

Marking as VERIFIED.
Comment 7 errata-xmlrpc 2016-06-23 16:23:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1298
Note You need to log in before you can comment on or make changes to this bug.