Hi,
How to modify the attribute nsslapd-encryptionalgorithm in Centos?
Thanks,
Denise Stop Master servers and set nsslapd-encryptionalgorithm. The allowed value is AES or 3DES. dn: cn=changelog5,cn=config [...] nsslapd-encryptionalgorithm: AES
--- Em ter, 4/6/13, Rich Megginson rmeggins@redhat.com escreveu:
De: Rich Megginson rmeggins@redhat.com Assunto: Re: [389-users] changelog Para: "Denise Cosso" guanaes51@yahoo.com.br Data: Terça-feira, 4 de Junho de 2013, 16:34
On 06/04/2013 01:26 PM, Denise Cosso wrote:
Hi, Rich
CentOS release 6.3 (Final)
389-ds-base-libs-1.2.10.2-20.el6_3.x86_64
389-ds-1.2.2-1.el6.noarch
389-dsgw-1.1.10-1.el6.x86_64
389-ds-console-1.2.6-1.el6.noarch
389-ds-console-doc-1.2.6-1.el6.noarch
389-ds-base-1.2.10.2-20.el6_3.x86_64
As far as replication goes - you will need to use a security layer (SSL, TLS, or GSSAPI) to protect the clear text password on the wire
As far as encrypting it in the changelog - not sure
Denise
--- Em ter, 4/6/13, Rich Megginson rmeggins@redhat.com escreveu:
De: Rich Megginson rmeggins@redhat.com
Assunto: Re: [389-users] changelog
Para: "General discussion list for the 389 Directory server project." 389-users@lists.fedoraproject.org
Cc: "Denise Cosso" guanaes51@yahoo.com.br
Data: Terça-feira, 4 de Junho de 2013, 16:11
On 06/04/2013 12:39 PM, Denise Cosso wrote:
Hi,
Description of problem: When a userPassword is changed in a server with changelog, the hashed password is logged and also a cleartext pseudo-attribute version. It looks like this: change:: replace: userPassword userPassword: {SHA256}vqtiN2LHdrEUOJUKu+IBVqAVFsAlvFw+11kD/Q== - replace: unhashed#user#password unhashed#user#password: secret12
This unhashed version is used in winsync where the cleartext version of the password must be written to the AD.
Now if the DS is involved in replication with another DS, the change will be replayed exactly as it is logged to the other DS replicas, including the cleartext pseudo-attribute password.
What platform? What version of 389-ds-base are you using?
thanks,
Denise
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Hi,
Anyone know how to do?
Stop the server, and add "nsencryptionalgorithm: AES" or "nsslapd-encryptionalgorithm: 3DES" to the changelog entry. The current supported encryption algorithms are AES and 3DES
dn: cn=changelog5,cn=config objectClass: top objectClass: extensibleobject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-ID/db/changelog nsslapd-encryptionalgorithm: AES Thanks,
Denise
On 06/05/2013 11:07 AM, Denise Cosso wrote:
Hi,
Anyone know how to do?
Stop the server, and add "nsencryptionalgorithm: AES" or "nsslapd-encryptionalgorithm: 3DES" to the changelog entry. The current supported encryption algorithms are AES and 3DES
dn: cn=changelog5,cn=config objectClass: top objectClass: extensibleobject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-ID/db/changelog *nsslapd-encryptionalgorithm: AES* Thanks,
Denise
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
If you already have configured SSL on your Directory Server, just adding "nsslapd-encryptionalgorithm: AES" to cn=changelog5,cn=config turns on the changelog encryption.*
*Then, please restart the server. You'd be able to see this attribute in your cn=changelog5.
|nsSymmetricKey:: BASE64_STRING|
And if you run, e.g., strings against to your changelog, the attribute values are encrypted as follows:
# strings 62a1c402-e47611e4-bcd98b6b-27e8b792_55301a33000000010000.db ({replicageneration} 55301a33000000010000 5{replica 1} 55301a44000000010000 55301a44000000010000 0000014d000000000000 [...] objectClass _+7B g`nT givenName userPassword @~$a|F creatorsName h@3Z modifiersName h@3Z [...]
Please note that, the encryption starts on the changes made after the changelog encryption is enabled.* *Thanks, --noriko*
*
389-users@lists.fedoraproject.org