Tuesday, May 12, 2026

[389-users] Cannot change nsslapd-db-max-locks

On one of our EL9 IPA servers I'm unable to change nsslapd-db-max-locks ldapsearch returns: # database, monitor, ldbm database, plugins, config dn: cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config nsslapd-db-current-locks: 96 nsslapd-db-max-locks: 179 dsconf config get returns: nsslapd-db-locks: 50018 I've restarted many times. Changed the value a couple of times. What's up? 389-ds-base-2.7.0-12.el9_7.x86_64 -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/

-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

Monday, May 11, 2026

[389-users] Re: [EXTERNAL\EXTERNE:] Re: version 3.1 : ERR - attrcrypt_ciphe

I see I am missing the entries for

nsSSL3Ciphers in my exisitng cfg please  how to resolve this now ?
Initail the server was cfg withour TLS Certs in place for testing only next we put the Certs  but seeing  the errors  after ldap restart.


dn: cn=encryption,cn=config
bjectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /tmp/slapd-testldap/Self-Signed-CA.pem
modifiersName: cn=server,cn=plugins,cn=config
modifyTimestamp: 20260128211815Z
numSubordinates: 1


From: Ghiurea, Isabella
Sent: Monday, May 11, 2026 8:12:13 AM
To: Mark Reynolds; General discussion list for the 389 Directory server project.
Subject: Re: [EXTERNAL\EXTERNE:] Re: [389-users] version 3.1 : ERR - attrcrypt_ciphe
 

This is my full log after restart and the OS and 389-DS version::

 5.14.0-611.49.2.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 30 09:05:08 EDT 2026 x86_64 GNU/Linux
389-ds-base-libs-3.1.3-7.el10_1.x86_64

1/May/2026:08:08:06.489703415 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Entrust OV TLS Issuing RSA CA 1 - SSL Corporation
[11/May/2026:08:08:06.491682937 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[11/May/2026:08:08:06.492152194 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[11/May/2026:08:08:06.518750646 -0700] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[11/May/2026:08:08:06.553993372 -0700] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[11/May/2026:08:08:06.554338296 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[11/May/2026:08:08:06.554580339 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.554917810 -0700] - INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555192333 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.555360588 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555512802 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555660128 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555820939 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555971791 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556116070 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556262604 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.556408537 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556551104 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556695374 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556846817 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556994573 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.557139865 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.557287401 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.557431420 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.557573065 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.557726221 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.557886871 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.558041370 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/May/2026:08:08:06.563964174 -0700] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564487373 -0700] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564835995 -0700] - INFO - main - 389-Directory/3.1.3 B2026.051.0000 starting up
[11/May/2026:08:08:06.565071755 -0700] - INFO - main - Setting the maximum file descriptor limit to: 1048576
[11/May/2026:08:08:06.571042469 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571406910 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571637361 -0700] - INFO - PBKDF2-SHA256 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571870307 -0700] - INFO - PBKDF2-SHA512 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.692829541 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 3000 rounds
[11/May/2026:08:08:06.697571186 -0700] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/May/2026:08:08:06.703451140 -0700] - INFO - dbmdb_make_env - MDB environment created with maxsize=6442450944.
[11/May/2026:08:08:06.703753165 -0700] - INFO - dbmdb_make_env - MDB environment created with max readers=126.
[11/May/2026:08:08:06.703942058 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[11/May/2026:08:08:06.704770127 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[11/May/2026:08:08:06.704994095 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[11/May/2026:08:08:06.705155447 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[11/May/2026:08:08:06.750376700 -0700] - INFO - connection_table_new - Number of connection sub-tables 1, each containing 63937 slots.
[11/May/2026:08:08:06.777423200 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/May/2026:08:08:06.777828878 -0700] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests







From: Mark Reynolds <mareynol@redhat.com>
Sent: Friday, May 8, 2026 2:14:23 PM
To: General discussion list for the 389 Directory server project.
Cc: Ghiurea, Isabella
Subject: [EXTERNAL\EXTERNE:] Re: [389-users] version 3.1 : ERR - attrcrypt_ciphe
 

***Attention*** This email originated from outside of the NRC. ***Attention*** Ce courriel provient de l'extérieur du CNRC.

I haven't seen this particular error before.  Here is my error log at startup. Does your log look similar to this (besides the error)?


[05/May/2026:10:38:38.570345263 -0400] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[05/May/2026:10:38:38.575013995 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[05/May/2026:10:38:38.596977165 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[05/May/2026:10:38:38.628070445 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[05/May/2026:10:38:38.629070043 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[05/May/2026:10:38:38.629758473 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[05/May/2026:10:38:38.630223912 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[05/May/2026:10:38:38.630729097 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
...

...

[05/May/2026:10:38:38.646869597 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647319500 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647903706 -0400] - INFO - main - 389-Directory/3.2.0 DEVELOPER BUILD B0000.000.0000 starting up
...

...
[05/May/2026:10:38:38.758475494 -0400] - INFO - dbmdb_make_env - MDB environment created with maxsize=21474836480 (20.0 GB)
[05/May/2026:10:38:38.759509913 -0400] - INFO - dbmdb_make_env - MDB environment created with max readers=126
[05/May/2026:10:38:38.760668867 -0400] - INFO - dbmdb_make_env - MDB environment created with max database instances=512
[05/May/2026:10:38:38.763059652 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.765674326 -0400] - INFO - attrcrypt_cipher_init - Key for cipher AES successfully generated and stored
[05/May/2026:10:38:38.766149695 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.768561634 -0400] - INFO - attrcrypt_cipher_init - Key for cipher 3DES successfully generated and stored



Are you running the server with security enabled?  


Have you explicitly enabled/disable specific ciphers under cn=encryption,cn=config ?


dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /tmp/slapd-localhost/Self-Signed-CA.pem
nsSSL3Ciphers:  +all,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384



Also what platform are you running this on?  What rpm version of "nss" is installed?  This could also be related to your system's crypto policy.


Thanks,

Mark



On 5/8/26 4:11 PM, Ghiurea, Isabella via 389-users wrote:



After installing new Certs on version 389-ds-base-libs-3.1.3-7.el10_1.x86_64 ,

I am seeing the following  ERR in errolog when restarting the ldap.


[08/May/2026:12:47:19.286692556 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[08/May/2026:12:47:19.287568735 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[08/May/2026:12:47:19.287866902 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[08/May/2026:12:47:19.288083818 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.

And here are my entries for encryption in dse.ldif :
dn: cn=encrypted attribute keys,cn=userroot,cn=ldbm database,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: encrypted attribute keys
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 20260128,........
modifyTimestamp: 20260128........
numSubordinates: 2

dn: cn=encrypted attributes,cn=userroot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 202601282....
modifyTimestamp: 20260128....

What else must be change to eliminate the errors.
thank you !


-- 
Identity Management Development Team

-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

[389-users] Re: [EXTERNAL\EXTERNE:] Re: version 3.1 : ERR - attrcrypt_ciphe

This is my full log after restart and the OS and 389-DS version::

 5.14.0-611.49.2.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 30 09:05:08 EDT 2026 x86_64 GNU/Linux
389-ds-base-libs-3.1.3-7.el10_1.x86_64

1/May/2026:08:08:06.489703415 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Entrust OV TLS Issuing RSA CA 1 - SSL Corporation
[11/May/2026:08:08:06.491682937 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[11/May/2026:08:08:06.492152194 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[11/May/2026:08:08:06.518750646 -0700] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[11/May/2026:08:08:06.553993372 -0700] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[11/May/2026:08:08:06.554338296 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[11/May/2026:08:08:06.554580339 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.554917810 -0700] - INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555192333 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.555360588 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555512802 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555660128 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555820939 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555971791 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556116070 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556262604 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.556408537 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556551104 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556695374 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556846817 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556994573 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.557139865 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.557287401 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.557431420 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.557573065 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.557726221 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.557886871 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.558041370 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/May/2026:08:08:06.563964174 -0700] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564487373 -0700] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564835995 -0700] - INFO - main - 389-Directory/3.1.3 B2026.051.0000 starting up
[11/May/2026:08:08:06.565071755 -0700] - INFO - main - Setting the maximum file descriptor limit to: 1048576
[11/May/2026:08:08:06.571042469 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571406910 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571637361 -0700] - INFO - PBKDF2-SHA256 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571870307 -0700] - INFO - PBKDF2-SHA512 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.692829541 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 3000 rounds
[11/May/2026:08:08:06.697571186 -0700] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/May/2026:08:08:06.703451140 -0700] - INFO - dbmdb_make_env - MDB environment created with maxsize=6442450944.
[11/May/2026:08:08:06.703753165 -0700] - INFO - dbmdb_make_env - MDB environment created with max readers=126.
[11/May/2026:08:08:06.703942058 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[11/May/2026:08:08:06.704770127 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[11/May/2026:08:08:06.704994095 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[11/May/2026:08:08:06.705155447 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[11/May/2026:08:08:06.750376700 -0700] - INFO - connection_table_new - Number of connection sub-tables 1, each containing 63937 slots.
[11/May/2026:08:08:06.777423200 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/May/2026:08:08:06.777828878 -0700] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests







From: Mark Reynolds <mareynol@redhat.com>
Sent: Friday, May 8, 2026 2:14:23 PM
To: General discussion list for the 389 Directory server project.
Cc: Ghiurea, Isabella
Subject: [EXTERNAL\EXTERNE:] Re: [389-users] version 3.1 : ERR - attrcrypt_ciphe
 

***Attention*** This email originated from outside of the NRC. ***Attention*** Ce courriel provient de l'extérieur du CNRC.

I haven't seen this particular error before.  Here is my error log at startup. Does your log look similar to this (besides the error)?


[05/May/2026:10:38:38.570345263 -0400] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[05/May/2026:10:38:38.575013995 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[05/May/2026:10:38:38.596977165 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[05/May/2026:10:38:38.628070445 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[05/May/2026:10:38:38.629070043 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[05/May/2026:10:38:38.629758473 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[05/May/2026:10:38:38.630223912 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[05/May/2026:10:38:38.630729097 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
...

...

[05/May/2026:10:38:38.646869597 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647319500 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647903706 -0400] - INFO - main - 389-Directory/3.2.0 DEVELOPER BUILD B0000.000.0000 starting up
...

...
[05/May/2026:10:38:38.758475494 -0400] - INFO - dbmdb_make_env - MDB environment created with maxsize=21474836480 (20.0 GB)
[05/May/2026:10:38:38.759509913 -0400] - INFO - dbmdb_make_env - MDB environment created with max readers=126
[05/May/2026:10:38:38.760668867 -0400] - INFO - dbmdb_make_env - MDB environment created with max database instances=512
[05/May/2026:10:38:38.763059652 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.765674326 -0400] - INFO - attrcrypt_cipher_init - Key for cipher AES successfully generated and stored
[05/May/2026:10:38:38.766149695 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.768561634 -0400] - INFO - attrcrypt_cipher_init - Key for cipher 3DES successfully generated and stored



Are you running the server with security enabled?  


Have you explicitly enabled/disable specific ciphers under cn=encryption,cn=config ?


dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /tmp/slapd-localhost/Self-Signed-CA.pem
nsSSL3Ciphers:  +all,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384



Also what platform are you running this on?  What rpm version of "nss" is installed?  This could also be related to your system's crypto policy.


Thanks,

Mark



On 5/8/26 4:11 PM, Ghiurea, Isabella via 389-users wrote:



After installing new Certs on version 389-ds-base-libs-3.1.3-7.el10_1.x86_64 ,

I am seeing the following  ERR in errolog when restarting the ldap.


[08/May/2026:12:47:19.286692556 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[08/May/2026:12:47:19.287568735 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[08/May/2026:12:47:19.287866902 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[08/May/2026:12:47:19.288083818 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.

And here are my entries for encryption in dse.ldif :
dn: cn=encrypted attribute keys,cn=userroot,cn=ldbm database,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: encrypted attribute keys
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 20260128,........
modifyTimestamp: 20260128........
numSubordinates: 2

dn: cn=encrypted attributes,cn=userroot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 202601282....
modifyTimestamp: 20260128....

What else must be change to eliminate the errors.
thank you !


-- 
Identity Management Development Team

-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

Sunday, May 10, 2026

[Test-Announce] Fedora 45 Rawhide 20260511.n.0 nightly compose nominated for testing

Announcing the creation of a new nightly release validation test event for Fedora 45 Rawhide 20260511.n.0. Please help run some tests for this nightly compose if you have time. For more information on nightly release validation testing, see: https://fedoraproject.org/wiki/QA:Release_validation_test_plan Notable package version changes: anaconda - 20260508.n.0: anaconda-45.1-1.fc45.src, 20260511.n.0: anaconda-45.2-1.fc45.src Test coverage information for the current release can be seen at: https://openqa.fedoraproject.org/testcase_stats/45 You can see all results, find testing instructions and image download locations, and enter results on the Summary page: https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Summary The individual test result pages are: https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Installation https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Base https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Server https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Cloud https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Desktop https://fedoraproject.org/wiki/Test_Results:Fedora_45_Rawhide_20260511.n.0_Security_Lab Thank you for testing! -- Mail generated by relvalconsumer: https://forge.fedoraproject.org/quality/relvalconsumer -- _______________________________________________ test-announce mailing list -- test-announce@lists.fedoraproject.org To unsubscribe send an email to test-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

[Test-Announce] Test Days: Podman 6.0

Greetings testers! Please join us for upcoming Test Days [1] and help us improve Fedora's quality and stability. Your participation helps us find and fix bugs before the next release, ensuring a smoother experience for all users. This time we'll focus on testing the Podman. Test period: 2026-05-11 to 2026-05-15 Test instructions: https://fedoraproject.org/wiki/Test_Day:2026-05-11_Podman_6.0 Thank you. Petr Sklenar Fedora Quality -- _______________________________________________ test-announce mailing list -- test-announce@lists.fedoraproject.org To unsubscribe send an email to test-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

Self-Introduction: Alberto García Fernández (Spanish)

Name: Alberto García Fernández (Alberto)
Location: Gijón, Spain
Login: algarcia
Language: Spanish

About me: I'm a Linux end user (not a programmer or web developer) and free software enthusiast. I'd like to contribute with Spanish L10N team as a form of gratitude for this software. I'd like to practice my English too.

About Fedora Project and me: In the past, I used Fedora, but I haven't used Linux in many years. I use GNOME desktop, another project that I like a lot. Finally I'd like to contribute with Fedora's marketing team in Spanish.

GPG KEYID and fingerprint: gpg --fingerprint 0379658C
pub   ed25519 2026-05-08 [SC] [caduca: 2029-05-07]
      1DA6 61E2 BFF5 CEFC A71D  09A2 EEFE E8D6 0379 658C
uid        [  absoluta ] Alberto García Fernández <algarcia (at) fedoraproject.org>
sub   cv25519 2026-05-08 [E] [caduca: 2029-05-07]

-- _______________________________________________ trans mailing list -- trans@lists.fedoraproject.org To unsubscribe send an email to trans-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/trans@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:

[Test-Announce] 2026-05-11 @ 15:00 UTC - Fedora Quality Meeting?

# Fedora Quality Assurance Meeting # Date: 2026-05-11 # Time: 15:00 UTC (https://fedoraproject.org/wiki/Infrastructure/UTCHowto) # Location: https://matrix.to/#/#meeting:fedoraproject.org?web-instance[element.io]=chat.fedoraproject.org Greetings testers! It's meeting time again. I may not be around to run it, though. If I don't make it and anyone else wants to run it, please go ahead, it's easy! The SOP is at https://fedoraproject.org/wiki/QA:SOP_Matrix_meeting_process . I didn't have anything particular to discuss, just a quick status check-in as usual. Here is a handy link which should show you the meeting time in your local time: https://www.timeanddate.com/worldclock/fixedtime.html?msg=Fedora+quality+meeting&iso=20260511T15&p1=1440&ah=1 If anyone has any other items for the agenda, please reply to this email and suggest them! Thanks. == Proposed Agenda Topics == 1. Previous meeting follow-up 2. Fedora 44 and 45 status 3. Test Day / community event status 4. Open floor -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@fosstodon.org https://www.happyassassin.net -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@fosstodon.org https://www.happyassassin.net -- _______________________________________________ test-announce mailing list -- test-announce@lists.fedoraproject.org To unsubscribe send an email to test-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/test-announce@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at No comments:
Subscribe to: Posts (Atom)