Tuesday, August 18, 2020

[389-users] Re: How to disable attribute encryption


On 8/18/20 8:47 AM, Jan Tomasek wrote:
Hello,

is it possible to disable attribute encryption in 389 DS? I'm running 1.4.0.21 @ Debian Buster.

After replacing TLS certificate I'm receiving errors:

[18/Aug/2020:10:25:16.099482453 +0200] - ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES
[18/Aug/2020:10:25:16.099670006 +0200] - ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped.  To recover the encrypted contents, keep the wrapped symmetric key value.

I found: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/updating_the_tls_certificates_used_for_attribute_encryption

But, I do not use any encrypted attribute so dumping and restoring database is not nice way how to deal witch such error.

Just, deleting all keys and server restart works too:

ldapsearch -H ldap://localhost -D "cn=Directory Manager" -W -LLL -o ldif-wrap=no -b "cn=ldbm database,cn=plugins,cn=config" "(nsSymmetricKey=*)" dn | sed "s/^$/changetype: delete\n/" | ldapmodify -H ldap://localhost -D "cn=Directory Manager" -W
Enter LDAP Password: Enter LDAP Password:
***
deleting entry "cn=3DES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config"
deleting entry "cn=AES,cn=encrypted attribute keys,cn=xxx,cn=ldbm database,cn=plugins,cn=config"
deleting entry "cn=3DES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config"
deleting entry "cn=AES,cn=encrypted attribute keys,xxx,cn=ldbm database,cn=plugins,cn=config"
...

The best option would be config option to disable attribute encryption for all databases but I failed to find if it is possible.

You have to delete each attribute that was configured for attribute encryption (like what you did above, but you cna also use the CLI tools):

https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_attribute_encryption#disabling_encryption_for_an_attribute_using_the_command_line

HTH,

Mark


Thanks 

_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  
--     389 Directory Server Development Team
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)