Cannot import encrypted data - syntax validation will usually fail with encrypted data e.g. setup server for telephoneNumber encryption add entry with telephoneNumber attribute db2ldif - verify attribute is encrypted make sure syntax validation is on import ldif [15/Jul/2009:14:19:21 -0600] - import userRoot: WARNING: skipping entry "uid=attrcryptuser,ou=people,o=attrcrypt.com" which violates attribute syntax, ending line 154 of file "/tmp/encrypted.ldif" telephoneNumber:: u6p4tkRmPuJtNhPs4g42qw==
This was fixed by commit 654c62253e13df368be9a2e1b89e03771e363041 on 2009-07-20.
Hi Nathan, I need to verify bug511970. I have executed below steps but not getting expected results : 1. configured ssl 2. config attr encryption for telephoneNumber [root@rhel61-ds90-amita scripts]# ldapmodify -a -D "cn=directory manager" -w Secret123 -p 1389 -h localhost << EOF dn: cn=telephoneNumber,cn=encrypted attributes,cn=test44,cn=ldbm database,cn=plugins,cn=config objectclass: top objectclass: nsAttributeEncryption cn: telephoneNumber nsEncryptionAlgorithm: AES EOF 3. add entry with telephoneNumber attribute 4. make sure syntax validation is on 5. Did Import and Export ./db2ldif -n test33 -E -a /export/scripts/ami/output.ldif -s "dc=example2,dc=com" ./ldif2db -n db3 -E -i /export/scripts/ami/output.ldif I am referring to Admin guide for this "http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Database_Encryption-Exporting_and_Importing_an_Encrypted_Database" Here are two things, I am facing 1. The Attribute value is not getting encrypted, I checked it using ldapsearch. 2. While I am testing, I got this error once - [root@rhel61-ds90-amita slapd-rhel61-ds90-amita]# ./ldif2db -n amidb -E -i /export/scripts/ami/output.ldif importing data ... [11/Apr/2011:11:55:27 +051800] attrcrypt - Failed to retrieve key for cipher 3DES in attrcrypt_cipher_init (2) [11/Apr/2011:11:55:27 +051800] - Error: unable to initialize attrcrypt system for amidb Request you to please help me out here with the steps. Thanks and Regards, Amita
if you ./db2ldif -n test33 -a /export/scripts/ami/output.ldif -s "dc=example2,dc=com" - that is, without the -E - do you see the telephoneNumber attribute encrypted?
(In reply to comment #2) > Hi Nathan, > > I need to verify bug511970. > > I have executed below steps but not getting expected results : > 1. configured ssl > 2. config attr encryption for telephoneNumber > [root@rhel61-ds90-amita scripts]# ldapmodify -a -D "cn=directory manager" -w > Secret123 -p 1389 -h localhost << EOF > dn: cn=telephoneNumber,cn=encrypted attributes,cn=test44,cn=ldbm > database,cn=plugins,cn=config > objectclass: top > objectclass: nsAttributeEncryption > cn: telephoneNumber > nsEncryptionAlgorithm: AES > EOF > > 3. add entry with telephoneNumber attribute > 4. make sure syntax validation is on > 5. Did Import and Export > ./db2ldif -n test33 -E -a /export/scripts/ami/output.ldif -s > "dc=example2,dc=com" > ./ldif2db -n db3 -E -i /export/scripts/ami/output.ldif > > I am referring to Admin guide for this > "http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Configuring_Directory_Databases-Creating_and_Maintaining_Databases.html#Database_Encryption-Exporting_and_Importing_an_Encrypted_Database" > > Here are two things, I am facing > 1. The Attribute value is not getting encrypted, I checked it using ldapsearch. Attribute encryption is not for encrypting attributes for ldap search. It is for encrypting the data stored on disk. I guess the docs are not clear about that. You should check the following: 1) db2ldif without the -E option should output the attribute encrypted 2) dbscan -f /var/lib/dirsrv/slapd-INSTNAME/db/amidb/id2entry.db4 should show the entry with the attribute encrypted 3) dbscan -f /var/lib/dirsrv/slapd-INSTNAME/db/amidb/ATTRNAME.db4 should show the values encrypted (if you have an index for the attribute) > 2. While I am testing, I got this error once - > [root@rhel61-ds90-amita slapd-rhel61-ds90-amita]# ./ldif2db -n amidb -E -i > /export/scripts/ami/output.ldif > importing data ... > [11/Apr/2011:11:55:27 +051800] attrcrypt - Failed to retrieve key for cipher > 3DES in attrcrypt_cipher_init (2) > [11/Apr/2011:11:55:27 +051800] - Error: unable to initialize attrcrypt system > for amidb Did you change the cert/key? > > Request you to please help me out here with the steps. > > Thanks and Regards, > Amita
Yeah Rich, got it # entry-id: 12 dn: uid=amimash,dc=example,dc=com nsUniqueId: fb2b1101-717911e0-9db384f2-c11c5523 objectClass: top objectClass: person objectClass: inetorgperson objectClass: organizationalPerson sn: testkrbuser cn: kkktestkrbuser uid: amimash userPassword:: e1NTSEF9MVMzVlVoSWVNUmkraGZuajdDR1pJa3N6OXZkcWxkRnRhU0V4N1E9PQ= = creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20110428092936Z modifyTimestamp: 20110428093021Z telephoneNumber:: OBWnCqk1aGFszhT1qFR39g== Marking the bug as VERIFIED. Thanks, Amita
Also the import is correct : [root@rheltest slapd-rheltest]# ./ldif2db -n userRoot -i /export/output.ldif importing data ... [28/Apr/2011:15:17:11 +051800] - Warning: encryption is configured in backend userRoot, but because SSL is not enabled, database encryption is not available and the configuration will be overridden. [28/Apr/2011:15:17:11 +051800] - WARNING: Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database [28/Apr/2011:15:17:11 +051800] - check_and_set_import_cache: pagesize: 4096, pages: 249236, procpages: 49658 [28/Apr/2011:15:17:11 +051800] - WARNING: After allocating import cache 398776KB, the available memory is 598168KB, which is less than the soft limit 1048576KB. You may want to decrease the import cache size and rerun import. [28/Apr/2011:15:17:11 +051800] - Import allocates 398776KB import cache. [28/Apr/2011:15:17:11 +051800] - import userRoot: Beginning import job... [28/Apr/2011:15:17:11 +051800] - import userRoot: Index buffering enabled with bucket size 100 [28/Apr/2011:15:17:12 +051800] - import userRoot: Processing file "/export/output.ldif" [28/Apr/2011:15:17:12 +051800] - import userRoot: Finished scanning file "/export/output.ldif" (12 entries) [28/Apr/2011:15:17:12 +051800] - import userRoot: Workers finished; cleaning up... [28/Apr/2011:15:17:12 +051800] - import userRoot: Workers cleaned up. [28/Apr/2011:15:17:12 +051800] - import userRoot: Cleaning up producer thread... [28/Apr/2011:15:17:12 +051800] - import userRoot: Indexing complete. Post-processing... [28/Apr/2011:15:17:13 +051800] - import userRoot: Flushing caches... [28/Apr/2011:15:17:13 +051800] - import userRoot: Closing files... [28/Apr/2011:15:17:13 +051800] - All database threads now stopped [28/Apr/2011:15:17:13 +051800] - import userRoot: Import complete. Processed 12 entries in 2 seconds. (6.00 entries/sec)