Tuesday, August 18, 2020

[389-users] Re: How to disable attribute encryption


On 8/18/20 9:24 AM, Jan Tomasek wrote:
On 8/18/20 3:21 PM, Mark Reynolds wrote:
Looks like you are all good then...

Yes, but... is it possible to prevent creating "encrypted attribute keys" and seeing in logs message:

 ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped.  To recover the encrypted contents, keep the wrapped symmetric key value.

every time I replace LDAPS certificate?

Every time you replace your server certificate you will need to delete these entries (or remove the nsSymmetricKey attribute):

dn: cn=3DES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config  objectClass: top  objectClass: extensibleObject  cn: 3DES  nsSymmetricKey:: msf+gaXDXTz4pukx557HvRoRDsQycNxv2kiJAhbfzl53gYO/DiqRNIYSjS4nl  b/VhP9crRTTi0RrKMxN9AGalZwgb+lqIPozb9HvNiHeNlsxCta6nnsCiX5kKWa1zLKJowJ0iqhreW  TRBZV3/mzmr09AtusCC60/FXQdkbQlSDZre0pn7GHbg2mSb1QcMWT2EHbrVPuQAWDXMWdcZBKnUWr  zCR+nKkS5w7PMwoU1/RCMYN1yibtmc1k/HheyM8JBf0OHQhr2FawS2LiwF2VN56r3XlmyXSBkF/IX  01534RA/NdopD4TwxGKZBAVyQvnoRXXGwOBSlQ67IZHIoH89HQ==      dn: cn=AES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config  objectClass: top  objectClass: extensibleObject  cn: AES  nsSymmetricKey:: SG4+8+Dm49nxLQiiHuv/wp96NUGBqhcWA8gATOjjrDbvZm63m00ljf3AJP0+W  Nsdzt6bYlGVfbDB2+XFy2QTFhGSD9kZiM1kxYTzJ9AJgy2vLo7bGfIDcTQk2swBDAiOwcACdLNRw3  4EYxpFZsS5TbLX1+zKfs/50UPRjAt3KtdGo5uCULCndmMlcz/UqoDFDUj1POYTC746YXOy+QsbEtu  PqlzExXBZGbSjTvoeGB6GmG0L6pT/hVTCmbl6HWFfILKrvdfch0qp/AoBvLNpjBZXuWgUfKtR6m6V  YyOFAzKQDf7ZgvRgn0cx6DVzEgAhy1dBHcYv+6oTUUlFPzfSZQ==


These entries are generated at server startup (there is no way to prevent that).  So stop the server and edit the dse.ldif and remove these entries, then start the server up and those errors will go away - well until you renew the server cert again :-)



_______________________________________________  389-users mailing list -- 389-users@lists.fedoraproject.org  To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org  Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/  List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines  List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org  
--     389 Directory Server Development Team
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)