Managing the default LDAP password policy for API management

The Apigee system uses OpenLDAP to authenticate users in your API management environment. OpenLDAP makes this LDAP password policy functionality available.

This section describes how to configure the delivered default LDAP password policy. Use this password policy to configure various password authentication options, such as the number of consecutive failed login attempts after which a password can no longer be used to authenticate a user to the directory.

This section also describes how to use a couple of APIs to unlock user accounts that have been locked according to attributes configured in the default password policy.

For additional information, see:

Configuring the Default LDAP Password Policy

To configure the default LDAP password policy:

  1. Connect to your LDAP server using an LDAP client, such as Apache Studio or ldapmodify. By default OpenLDAP server listens on port 10389 on the OpenLDAP node.

    To connect, specify the Bind DN or user of cn=manager,dc=apigee,dc=com and the OpenLDAP password that you set at the time of Edge installation.

  2. Use the client to navigate to the password policy attributes for:
    • Edge users: cn=default,ou=pwpolicies,dc=apigee,dc=com
    • Edge sysadmin: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
  3. Edit the password policy attribute values as desired.
  4. Save the configuration.

Default LDAP Password Policy Attributes

Attribute Description Default
pwdExpireWarning
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory.

604800

(Equivalent to 7 days)

pwdFailureCountInterval

Number of seconds after which old consecutive failed bind attempts are purged from the failure counter.

In other words, this is the number of seconds after which the count of consecutive failed login attempts is reset.

If pwdFailureCountInterval is set to 0, only a successful authentication can reset the counter.

If pwdFailureCountInterval is set to >0, the attribute defines a duration after which the count of consecutive failed login attempts is automatically reset, even if no successful authentication has occurred.

We suggest that this attribute be set to the same value as the pwdLockoutDuration attribute.

300
pwdInHistory

Maximum number of used, or past, passwords for a user that will be stored in the pwdHistory attribute.

When changing her password, the user will be blocked from changing it to any of her past passwords.

3
pwdLockout

If TRUE, specifies to lock out a user when their password expires so that the user can no longer log in.

False
pwdLockoutDuration

Number of seconds during which a password cannot be used to authenticate the user due to too many consecutive failed login attempts.

In other words, this is the length of time during which a user account will remain locked due to exceeding the number of consecutive failed login attempts set by the pwdMaxFailure attribute.

If pwdLockoutDuration is set to 0, the user account will remain locked until a system administrator unlocks it.

See Unlocking a user account.

If pwdLockoutDuration is set to >0, the attribute defines a duration for which the user account will remain locked. When this time period has elapsed, the user account will be automatically unlocked.

We suggest that this attribute be set to the same value as the pwdFailureCountInterval attribute.

300
pwdMaxAge

Number of seconds after which a user (non-sysadmin) password expires. A value of 0 means passwords do not expire. The default value of 2592000 corresponds to 30 days from the time the password was created.

user: 2592000

sysadmin: 0

pwdMaxFailure

Number of consecutive failed login attempts after which a password may not be used to authenticate a user to the directory.

3
pwdMinLength

Specifies the minimum number of characters required when setting a password.

8

Unlocking a User Account

A user's account may be locked due to attributes set in the password policy. A user with the sysadmin Apigee role assigned can use the following API call to unlock the user's account. Replace userEmail, adminEmail, and password with actual values.

To unlock a user:

/v1/users/userEmail/status?action=unlock -X POST -u adminEmail:password