Edge for Private Cloud v4.18.01
Log file location
OpenLDAP log files are contained in the directory /opt/apigee/var/log. These files can be periodically archived and removed in order to ensure that they do not take up excessive disk space. Information on maintaining, archiving and removing OpenLDAP logs can be found in Section 19.2 of the OpenLDAP manual at http://www.openldap.org/doc/admin24/maintenance.html.
Manually set a user's password
User's can request a new Edge password in the Edge UI. The user then receives an email with information about setting a password. However, if your SMTP server is down, or the user cannot receive an email for any reason, you can manually set the user's password by using OpenLDAP commands.
To set a user's password:
- Use ldapsearch to
download user information:
> ldapsearch -w ldapAdminPWord -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389 > ldap.txt - Search the ldap.txt file for the user's email address. You should see a block in the
form:
dn: uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com
mail: foo@bar.com
userPassword:: e1NTSEF9a01UUDdSd01BYXRuUURXdXN5OWNPRzBEWWlYZFBRTm14MHlNVWc9PQ==
uid: 29383a67-9279-4aa8-a75b-cfbf901578fc - Use ldappasswd to set
the user's password based on the user's uid:
> ldappasswd -h LDAP_IP -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord "uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com"
You are prompted for the OpenLDAP admin password.
The user can now log in by using newPassWord.
Manually set OpenLDAP system password
Resetting Edge Passwords describes how to change the OpenLDAP system password but requires that you know the existing password. If you have lost that password, you can use the following procedure to reset it.
- Use slappasswd to
create the SSHA encrypted password for a new password:
> slappasswd -h {SSHA} -s newPassWord
?This command returns a string int he form:
{SSHA}+DOup9d6l+czfWzkIvajwYPArjPurhS6 - Open the /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
file in an editor:
> vi /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif - Find the line in the form:?
olcRootPW:: OldPasswordString - Replace OldPasswordString with
the string returned from slappasswd. If there are 2 colons after
olcRootPw, remove one and
ensure there is a space after the colon:
olcRootPW: {SSHA}RGon+bLCe+Sk+HyHholFBj8ONQfabrhw - Restart OpenLDAP:
> /opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart - Check using ldapsearch if
your new password works.
> ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389
You are prompted for the OpenLDAP admin password. - Repeat these steps on any other OpenLDAP servers that are being used for replication
- Update the Management Server to use the new password:
> /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPassWord
Manually set Edge admin password
Resetting Edge Passwords describes how to change the Edge system password but requires that you know the existing password. If you have lost the Edge system password, you can use the following procedure to reset it.
- On the UI node, stop the Edge UI:
> /opt/apigee/apigee-service/bin/apigee-service edge-ui stop - Use ldappasswd to set the
Edge sys admin password:
> ldappasswd -h localhost -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord "uid=admin,ou=users,ou=global,dc=apigee,dc=com"
You are prompted for the OpenLDAP admin password. - Update the config file that you used to install the Edge UI with the new Edge system
password:
APIGEE_ADMINPW=newPassWord - Configure and restart the Edge UI:
> /opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile - (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.
Delete SLAPD lock file
If you get an error when trying to start OpenLDAP that the slapd.pid lock file exists, you can delete the file.
The file is located in /opt/apigee/apigee-openldap/var/run/slapd.pid. Delete the file and try to restart OpenLDAP:
/opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart
If OpenLDAP does not start, try starting it in debug mode and check for errors:
> slapd -h ldap://:10389/ -u apigee -F /opt/apigee/apigee-openldap/var/run -d 255
Errors may point to resource issues, memory, or CPU utilization issues.
Troubleshooting OpenLDAP replication problems
If your installation uses multiple OpenLDAP servers, you can check the replication settings to ensure that they servers are functioning properly.
- Ensure that ldapsearch
returns data from each OpenLDAP server:
> ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389
You are prompted for the OpenLDAP admin password. - Check the replication configuration by examining the /opt/apigee/conf/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file.
- Make sure the system password is the same on each OpenLDAP server.
- Check iptables and tcp wrapper settings.