Attributes are still encrypted after removed from attribute encyption policy

  • 3065292
  • 17-Aug-2006
  • 26-Apr-2012

Environment


Novell eDirectory 8.8 for All Platforms

Situation

Scenerio 1:

Attribute encryption policy has been edited and attributes modified to include encryption, but the attributes are still accessible over unsecure channels.

Scenerio 2:

Attributes that were encrypted as part of an attribute encryption policy have been modified to be unencrypted but are still not accessible over unsecure channels.

Scenerio 3:

Attribute encryption policy which contained encrypted attributes has been deleted but attributes included in the policy as still not accessible over unsecure channels.

Scenerio 4:

IDM still considers attributes encrypted after the attribute has been marked unencrypted or the encryption policy deleted.

Resolution

The limber process completes the removal and addition of attributes from attribute encryption policies.

If an attribute encryption policy has been modified/added or deleted, it may be necessary to manually force the limber process to run in order for changes to take place immediately.

EXAMPLE:

UNIX/Linux
#ndstrace
>set ndstrace=nodebug
>set ndstrace=+LMBR
>set ndstrace=*l

NetWare
dstrace
dstrace=+lmbr
dstrace=*l

iMonitor
Trace Configuration
Mark Limber
Trace On
Agent Configuration
Agent Triggers
Mark Limber
Submit
Trace

Example of dstrace message during attribute encryption add:

EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
UpdateEaPseudoServer: Pseudo Server: Attr Name assistant added with Scheme aes
Success: ReadPolicyObject: Attr Name: assistant added
Encryption: assistant - 607, Scheme: aes State: InProgress
Encryption: Require Secure Set
End EncryptionPolicyObject Reading

Example of dstrace message when encrypted attributes process is complete:

EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
Encryption: assistant - 607, Scheme: aes State: Success
Encryption: Require Secure Set
End EncryptionPolicyObject Reading

Similar messages are seen when an attribute is marked unencrypted or a policy with encrypted attributes is deleted.

The process may take several minutes depending on the number of objects in the tree.

IDM requires a restart of the drivers after an attribute has been marked as encypted or unencrypted.