The Apigee system uses OpenLDAP to authenticate users in your API management environment. OpenLDAP makes this LDAP password policy functionality available.
This section describes how to configure the delivered default LDAP password policy. Use this password policy to configure various password authentication options, such as the number of consecutive failed login attempts after which a password can no longer be used to authenticate a user to the directory.
This section also describes how to use a couple of APIs to unlock user accounts that have been locked according to attributes configured in the default password policy.
For additional information, see:
Configuring the Default LDAP Password Policy
To configure the default LDAP password policy:
- Connect to your LDAP server using an LDAP client, such as Apache Studio or ldapmodify. By
default OpenLDAP server listens on port 10389 on the OpenLDAP node.
To connect, specify the Bind DN or user of
cn=manager,dc=apigee,dc=comand the OpenLDAP password that you set at the time of Edge installation. - Use the client to navigate to the password policy attributes for:
- Edge users:
cn=default,ou=pwpolicies,dc=apigee,dc=com - Edge sysadmin:
cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
- Edge users:
- Edit the password policy attribute values as desired.
- Save the configuration.
Default LDAP Password Policy Attributes
| Attribute | Description | Default |
|---|---|---|
pwdExpireWarning |
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory. |
604800 (Equivalent to 7 days) |
pwdFailureCountInterval |
Number of seconds after which old consecutive failed bind attempts are purged from the failure counter. In other words, this is the number of seconds after which the count of consecutive failed login attempts is reset. If If We suggest that this attribute be set to the same value as the
|
300 |
pwdInHistory |
Maximum number of used, or past, passwords for a user that will be stored in the
When changing her password, the user will be blocked from changing it to any of her past passwords. |
3 |
pwdLockout |
If |
False |
pwdLockoutDuration |
Number of seconds during which a password cannot be used to authenticate the user due to too many consecutive failed login attempts. In other words, this is the length of time during which a user account will remain
locked due to exceeding the number of consecutive failed login attempts set by the
If If We suggest that this attribute be set to the same value as the
|
300 |
pwdMaxAge |
Number of seconds after which a user (non-sysadmin) password expires. A value of 0 means passwords do not expire. The default value of 2592000 corresponds to 30 days from the time the password was created. |
user: 2592000 sysadmin: 0 |
pwdMaxFailure |
Number of consecutive failed login attempts after which a password may not be used to authenticate a user to the directory. |
3 |
pwdMinLength |
Specifies the minimum number of characters required when setting a password. |
8 |
Unlocking a User Account
A user's account may be locked due to attributes set in the password policy. A user with the sysadmin Apigee role assigned can use the following API call to unlock the user's account. Replace userEmail, adminEmail, and password with actual values.
To unlock a user:
/v1/users/userEmail/status?action=unlock -X POST -u adminEmail:password