Monday, May 11, 2026

[389-users] Re: [EXTERNAL\EXTERNE:] Re: version 3.1 : ERR - attrcrypt_ciphe

This is my full log after restart and the OS and 389-DS version::

 5.14.0-611.49.2.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 30 09:05:08 EDT 2026 x86_64 GNU/Linux
389-ds-base-libs-3.1.3-7.el10_1.x86_64

1/May/2026:08:08:06.489703415 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Entrust OV TLS Issuing RSA CA 1 - SSL Corporation
[11/May/2026:08:08:06.491682937 -0700] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[11/May/2026:08:08:06.492152194 -0700] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[11/May/2026:08:08:06.518750646 -0700] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[11/May/2026:08:08:06.553993372 -0700] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[11/May/2026:08:08:06.554338296 -0700] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[11/May/2026:08:08:06.554580339 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.554917810 -0700] - INFO - Security Initialization - SSL info:     TLS_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555192333 -0700] - INFO - Security Initialization - SSL info:     TLS_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.555360588 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555512802 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.555660128 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555820939 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.555971791 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556116070 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.556262604 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.556408537 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556551104 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.556695374 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556846817 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.556994573 -0700] - INFO - Security Initialization - SSL info:     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.557139865 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled
[11/May/2026:08:08:06.557287401 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled
[11/May/2026:08:08:06.557431420 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled
[11/May/2026:08:08:06.557573065 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled
[11/May/2026:08:08:06.557726221 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled
[11/May/2026:08:08:06.557886871 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled
[11/May/2026:08:08:06.558041370 -0700] - INFO - Security Initialization - SSL info:     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled
[11/May/2026:08:08:06.563964174 -0700] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564487373 -0700] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[11/May/2026:08:08:06.564835995 -0700] - INFO - main - 389-Directory/3.1.3 B2026.051.0000 starting up
[11/May/2026:08:08:06.565071755 -0700] - INFO - main - Setting the maximum file descriptor limit to: 1048576
[11/May/2026:08:08:06.571042469 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571406910 -0700] - INFO - PBKDF2-SHA1 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571637361 -0700] - INFO - PBKDF2-SHA256 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.571870307 -0700] - INFO - PBKDF2-SHA512 - Number of iterations set to 100000 from default
[11/May/2026:08:08:06.692829541 -0700] - INFO - PBKDF2_SHA256 - Based on CPU performance, chose 3000 rounds
[11/May/2026:08:08:06.697571186 -0700] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[11/May/2026:08:08:06.703451140 -0700] - INFO - dbmdb_make_env - MDB environment created with maxsize=6442450944.
[11/May/2026:08:08:06.703753165 -0700] - INFO - dbmdb_make_env - MDB environment created with max readers=126.
[11/May/2026:08:08:06.703942058 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[11/May/2026:08:08:06.704770127 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[11/May/2026:08:08:06.704994095 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[11/May/2026:08:08:06.705155447 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.
[11/May/2026:08:08:06.750376700 -0700] - INFO - connection_table_new - Number of connection sub-tables 1, each containing 63937 slots.
[11/May/2026:08:08:06.777423200 -0700] - INFO - slapd_daemon - slapd started.  Listening on All Interfaces port 389 for LDAP requests
[11/May/2026:08:08:06.777828878 -0700] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests







From: Mark Reynolds <mareynol@redhat.com>
Sent: Friday, May 8, 2026 2:14:23 PM
To: General discussion list for the 389 Directory server project.
Cc: Ghiurea, Isabella
Subject: [EXTERNAL\EXTERNE:] Re: [389-users] version 3.1 : ERR - attrcrypt_ciphe
 

***Attention*** This email originated from outside of the NRC. ***Attention*** Ce courriel provient de l'extérieur du CNRC.

I haven't seen this particular error before.  Here is my error log at startup. Does your log look similar to this (besides the error)?


[05/May/2026:10:38:38.570345263 -0400] - INFO - slapd_extract_cert - CA CERT NAME: Self-Signed-CA
[05/May/2026:10:38:38.575013995 -0400] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password if pin.txt does not exist.
[05/May/2026:10:38:38.596977165 -0400] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert
[05/May/2026:10:38:38.628070445 -0400] - INFO - Security Initialization - SSL info: Enabling default cipher set.
[05/May/2026:10:38:38.629070043 -0400] - INFO - Security Initialization - SSL info: Configured NSS Ciphers
[05/May/2026:10:38:38.629758473 -0400] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled
[05/May/2026:10:38:38.630223912 -0400] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled
[05/May/2026:10:38:38.630729097 -0400] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled
...

...

[05/May/2026:10:38:38.646869597 -0400] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647319500 -0400] - INFO - Security Initialization - slapd_ssl_init2 - NSS adjusted SSL version range: min: TLS1.2, max: TLS1.3
[05/May/2026:10:38:38.647903706 -0400] - INFO - main - 389-Directory/3.2.0 DEVELOPER BUILD B0000.000.0000 starting up
...

...
[05/May/2026:10:38:38.758475494 -0400] - INFO - dbmdb_make_env - MDB environment created with maxsize=21474836480 (20.0 GB)
[05/May/2026:10:38:38.759509913 -0400] - INFO - dbmdb_make_env - MDB environment created with max readers=126
[05/May/2026:10:38:38.760668867 -0400] - INFO - dbmdb_make_env - MDB environment created with max database instances=512
[05/May/2026:10:38:38.763059652 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher AES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.765674326 -0400] - INFO - attrcrypt_cipher_init - Key for cipher AES successfully generated and stored
[05/May/2026:10:38:38.766149695 -0400] - NOTICE - attrcrypt_cipher_init - No symmetric key found for cipher 3DES in backend userroot, attempting to create one...
[05/May/2026:10:38:38.768561634 -0400] - INFO - attrcrypt_cipher_init - Key for cipher 3DES successfully generated and stored



Are you running the server with security enabled?  


Have you explicitly enabled/disable specific ciphers under cn=encryption,cn=config ?


dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
CACertExtractFile: /tmp/slapd-localhost/Self-Signed-CA.pem
nsSSL3Ciphers:  +all,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384



Also what platform are you running this on?  What rpm version of "nss" is installed?  This could also be related to your system's crypto policy.


Thanks,

Mark



On 5/8/26 4:11 PM, Ghiurea, Isabella via 389-users wrote:



After installing new Certs on version 389-ds-base-libs-3.1.3-7.el10_1.x86_64 ,

I am seeing the following  ERR in errolog when restarting the ldap.


[08/May/2026:12:47:19.286692556 -0700] - INFO - dbmdb_make_env - MDB environment created with max database instances=512.
[08/May/2026:12:47:19.287568735 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher AES (2)
[08/May/2026:12:47:19.287866902 -0700] - ERR - attrcrypt_cipher_init - Failed to retrieve key for cipher 3DES (2)
[08/May/2026:12:47:19.288083818 -0700] - ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption.

And here are my entries for encryption in dse.ldif :
dn: cn=encrypted attribute keys,cn=userroot,cn=ldbm database,cn=plugins,cn=con
 fig
objectClass: top
objectClass: extensibleObject
cn: encrypted attribute keys
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 20260128,........
modifyTimestamp: 20260128........
numSubordinates: 2

dn: cn=encrypted attributes,cn=userroot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: encrypted attributes
creatorsName: cn=ldbm database,cn=plugins,cn=config
modifiersName: cn=ldbm database,cn=plugins,cn=config
createTimestamp: 202601282....
modifyTimestamp: 20260128....

What else must be change to eliminate the errors.
thank you !


-- 
Identity Management Development Team

-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)