Re: How to disable attribute encryption

[Mark Reynolds <mreynolds@xxxxxxxxxx>]

On 8/18/20 9:24 AM, Jan Tomasek wrote:

> On
>       8/18/20 3:21 PM, Mark Reynolds wrote:
>       
> > Looks like you are all good then...
> >         
> >       
>       
>       Yes, but... is it possible to prevent creating "encrypted
>       attribute keys" and seeing in logs message:
>       
>       
> >  ERR - attrcrypt_cipher_init - Symmetric
> >         key failed to unwrap with the private key; Cert might have been
> >         renewed since the key is wrapped.  To recover the encrypted
> >         contents, keep the wrapped symmetric key value. 
>       
>       every time I replace LDAPS certificate?
>       
>

Every time you replace your server certificate you will need to delete these entries (or remove the nsSymmetricKey attribute):

dn: cn=3DES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: 3DES
nsSymmetricKey:: msf+gaXDXTz4pukx557HvRoRDsQycNxv2kiJAhbfzl53gYO/DiqRNIYSjS4nl
b/VhP9crRTTi0RrKMxN9AGalZwgb+lqIPozb9HvNiHeNlsxCta6nnsCiX5kKWa1zLKJowJ0iqhreW
TRBZV3/mzmr09AtusCC60/FXQdkbQlSDZre0pn7GHbg2mSb1QcMWT2EHbrVPuQAWDXMWdcZBKnUWr
zCR+nKkS5w7PMwoU1/RCMYN1yibtmc1k/HheyM8JBf0OHQhr2FawS2LiwF2VN56r3XlmyXSBkF/IX
01534RA/NdopD4TwxGKZBAVyQvnoRXXGwOBSlQ67IZHIoH89HQ==


dn: cn=AES,cn=encrypted attribute keys,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: AES
nsSymmetricKey:: SG4+8+Dm49nxLQiiHuv/wp96NUGBqhcWA8gATOjjrDbvZm63m00ljf3AJP0+W
Nsdzt6bYlGVfbDB2+XFy2QTFhGSD9kZiM1kxYTzJ9AJgy2vLo7bGfIDcTQk2swBDAiOwcACdLNRw3
4EYxpFZsS5TbLX1+zKfs/50UPRjAt3KtdGo5uCULCndmMlcz/UqoDFDUj1POYTC746YXOy+QsbEtu
PqlzExXBZGbSjTvoeGB6GmG0L6pT/hVTCmbl6HWFfILKrvdfch0qp/AoBvLNpjBZXuWgUfKtR6m6V
YyOFAzKQDf7ZgvRgn0cx6DVzEgAhy1dBHcYv+6oTUUlFPzfSZQ==

These entries are generated at server startup (there is no way to prevent that).  So stop the server and edit the dse.ldif and remove these entries, then start the server up and those errors will go away - well until you renew the server cert again :-)

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

-- 

389 Directory Server Development Team
  

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx