[389-devel] Please review: [Bug 182507] clear-password mod from replica is discarded before changelogged
Noriko Hosoi
nhosoi at redhat.com
Tue Dec 14 17:51:45 UTC 2010
Hi Andrey,
Andrey Ivanov wrote:
> Hi Noriko,
>
> i've read the changelog encryption design document. Indeed, it's a
> sound idea to make AD-389 replication more robust. I have two
> questions about it:
>
> * if i understand correctly you say that the server needs a
> certificate in order to generate the symmetric key. Is this key
> generated only once?
That is correct. If a wrapped symmetric key is not found in
cn=changelog5,cn=config, the key is generated.
> I mean, if we change the expired server
> certificate it won't trigger the symmetric key regeneration?
That's tricky. If your changelog DB contains 2 sets of encrypted value
-- one is encrypted with the expired cert, the other with the new cert,
it'd be hard to recover old ones. Automation makes it happen easier...
> * The replication changelog that contains the mixed entries
> (cleartext, encrypted 3DES, encrypted AES etc) - is it still readable
> by the server?
I don't think so. We should avoid it, too.
> Does each changelog entry contain a flag that describes
> whether the entry is cleartext/AES/3DES? Can the server "detect" in
> any other way whether the changelog entry is encrypted and if yes with
> what type of cypher?
The answer is no. Each value has no info about the type --
cleartext/AES/3DES.
Thanks for the questions, Andrey!
--noriko
More information about the 389-devel
mailing list