OpenLDAP Maintenance Tasks

Edge for Private Cloud v. 4.16.09

OpenLDAP log files are contained in the directory /opt/apigee/var/log. These files can be periodically archived and removed in order to ensure that they do not take up excessive disk space. Information on maintaining, archiving and removing OpenLDAP logs can be found in Section 19.2 of the OpenLDAP manual at http://www.openldap.org/doc/admin24/maintenance.html.

User's can request a new Edge password in the Edge UI. The user then receives an email with information about setting a password. However, if your SMTP server is down, or the user cannot receive an email for any reason, you can manually set the user's password by using OpenLDAP commands.

To set a user's password:

  1. Use ldapsearch to download user information:
    > ldapsearch -w ldapAdminPWord -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389 > ldap.txt
  2. Search the ldap.txt file for the user's email address. You should see a block in the form:
    dn: uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com
    mail: foo@bar.com
    userPassword:: e1NTSEF9a01UUDdSd01BYXRuUURXdXN5OWNPRzBEWWlYZFBRTm14MHlNVWc9PQ==
    uid: 29383a67-9279-4aa8-a75b-cfbf901578fc
  3. Use ldappasswd to set the user's password based on the user's uid:
    > ldappasswd -h LDAP_IP -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord "uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com"

    You are prompted for the OpenLDAP admin password.

The user can now log in by using newPassWord.

Manually set OpenLDAP system password

Resetting Edge Passwords describes how to change the OpenLDAP system password but requires that you know the existing password. If you have lost that password, you can use the following procedure to reset it.

  1. Use slappasswd to create the SSHA encrypted password for a new password:
    > slappasswd -h {SSHA} -s newPassWord

    This command returns a string in the form:
    {SSHA}+DOup9d6l+czfWzkIvajwYPArjPurhS6
  2. Open the /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file in an editor:
    > vi /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
  3. Find the line in the form:
    olcRootPW:: OldPasswordString
  4. Replace OldPasswordString with the string returned from slappasswd. If there are 2 colons after olcRootPw, remove one and ensure there is a space after the colon:
    olcRootPW: {SSHA}RGon+bLCe+Sk+HyHholFBj8ONQfabrhw
  5. Restart OpenLDAP:
    > /opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart
  6. Check using ldapsearch if your new password works.
    > ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389

    You are prompted for the OpenLDAP admin password.
  7. Repeat these steps on any other OpenLDAP servers that are being used for replication
  8. Update the Management Server to use the new password:
    > /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPassWord

Manually set Edge admin password

Resetting Edge Passwords describes how to change the Edge system password but requires that you know the existing password. If you have lost the Edge system password, you can use the following procedure to reset it.

  1. On the UI node, stop the Edge UI:
    > /opt/apigee/apigee-service/bin/apigee-service edge-ui stop
  2. Use ldappasswd to set the Edge sys admin password:
    > ldappasswd -h localhost -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord "uid=admin,ou=users,ou=global,dc=apigee,dc=com"

    You are prompted for the OpenLDAP admin password.
  3. Update the config file that you used to install the Edge UI with the new Edge system password:
    APIGEE_ADMINPW=newPassWord
  4. Configure and restart the Edge UI:
    > /opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
  5. (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.

Delete SLAPD lock file

If you get an error when trying to start OpenLDAP that the slapd.pid lock file exists, you can delete the file.

The file is located in /opt/apigee/apigee-openldap/var/run/slapd.pid. Delete the file and try to restart OpenLDAP:

/opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart

If OpenLDAP does not start, try starting it in debug mode and check for errors:

> slapd -h ldap://:10389/ -u apigee -F /opt/apigee/apigee-openldap/var/run -d 255

Errors may point to resource issues, memory, or CPU utilization issues.

Troubleshooting OpenLDAP replication problems

If your installation uses multiple OpenLDAP servers, you can check the replication settings to ensure that they servers are functioning properly.

  1. Ensure that ldapsearch returns data from each OpenLDAP server:
    > ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389

    You are prompted for the OpenLDAP admin password.
  2. Check the replication configuration by examining the /opt/apigee/conf/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file.
  3. Make sure the system password is the same on each OpenLDAP server.
  4. Check iptables and tcp wrapper settings.