Environment
Novell eDirectory 8.8 for All Platforms
Situation
Scenerio 1:
Attribute encryption policy has been edited and attributes modified to include encryption, but the attributes are still accessible over unsecure channels.
Scenerio 2:
Attributes that were encrypted as part of an attribute encryption policy have been modified to be unencrypted but are still not accessible over unsecure channels.
Scenerio 3:
Attribute encryption policy which contained encrypted attributes has been deleted but attributes included in the policy as still not accessible over unsecure channels.
Scenerio 4:
IDM still considers attributes encrypted after the attribute has been marked unencrypted or the encryption policy deleted.
Attribute encryption policy has been edited and attributes modified to include encryption, but the attributes are still accessible over unsecure channels.
Scenerio 2:
Attributes that were encrypted as part of an attribute encryption policy have been modified to be unencrypted but are still not accessible over unsecure channels.
Scenerio 3:
Attribute encryption policy which contained encrypted attributes has been deleted but attributes included in the policy as still not accessible over unsecure channels.
Scenerio 4:
IDM still considers attributes encrypted after the attribute has been marked unencrypted or the encryption policy deleted.
Resolution
The limber process completes the removal and addition of attributes
from attribute encryption policies.
If an attribute encryption policy has been modified/added or deleted, it may be necessary to manually force the limber process to run in order for changes to take place immediately.
EXAMPLE:
UNIX/Linux
#ndstrace
>set ndstrace=nodebug
>set ndstrace=+LMBR
>set ndstrace=*l
NetWare
dstrace
dstrace=+lmbr
dstrace=*l
iMonitor
Trace Configuration
Mark Limber
Trace On
Agent Configuration
Agent Triggers
Mark Limber
Submit
Trace
Example of dstrace message during attribute encryption add:
EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
UpdateEaPseudoServer: Pseudo Server: Attr Name assistant added with Scheme aes
Success: ReadPolicyObject: Attr Name: assistant added
Encryption: assistant - 607, Scheme: aes State: InProgress
Encryption: Require Secure Set
End EncryptionPolicyObject Reading
Example of dstrace message when encrypted attributes process is complete:
EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
Encryption: assistant - 607, Scheme: aes State: Success
Encryption: Require Secure Set
End EncryptionPolicyObject Reading
Similar messages are seen when an attribute is marked unencrypted or a policy with encrypted attributes is deleted.
The process may take several minutes depending on the number of objects in the tree.
IDM requires a restart of the drivers after an attribute has been marked as encypted or unencrypted.
If an attribute encryption policy has been modified/added or deleted, it may be necessary to manually force the limber process to run in order for changes to take place immediately.
EXAMPLE:
UNIX/Linux
#ndstrace
>set ndstrace=nodebug
>set ndstrace=+LMBR
>set ndstrace=*l
NetWare
dstrace
dstrace=+lmbr
dstrace=*l
iMonitor
Trace Configuration
Mark Limber
Trace On
Agent Configuration
Agent Triggers
Mark Limber
Submit
Trace
Example of dstrace message during attribute encryption add:
EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
UpdateEaPseudoServer: Pseudo Server: Attr Name assistant added with Scheme aes
Success: ReadPolicyObject: Attr Name: assistant added
Encryption: assistant - 607, Scheme: aes State: InProgress
Encryption: Require Secure Set
End EncryptionPolicyObject Reading
Example of dstrace message when encrypted attributes process is complete:
EncryptionPolicyObject DN Reading...
Encryption Policy DN .CN=Test2-policy.O=novell.T=SOL-881....
Encryption: assistant - 607, Scheme: aes State: Success
Encryption: Require Secure Set
End EncryptionPolicyObject Reading
Similar messages are seen when an attribute is marked unencrypted or a policy with encrypted attributes is deleted.
The process may take several minutes depending on the number of objects in the tree.
IDM requires a restart of the drivers after an attribute has been marked as encypted or unencrypted.