Log file location
OpenLDAP log files are contained in the directory /opt/apigee/var/log
. These files can be
periodically archived and removed in order to ensure that they do not take up excessive disk
space. Information on maintaining, archiving and removing OpenLDAP logs can be found in Section
19.2 of the OpenLDAP manual at http://www.openldap.org/doc/admin24/maintenance.html.
Manually set a user's password
User's can request a new Edge password in the Edge UI. The user then receives an email with information about setting a password. However, if your SMTP server is down, or the user cannot receive an email for any reason, you can manually set the user's password by using OpenLDAP commands.
To set a user's password:
- Use
ldapsearch
to download user information:ldapsearch -w ldapAdminPWord -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389 > ldap.txt
- Search the ldap.txt file for the user's email address. You should see a block in the form:
dn: uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com mail: foo@bar.com userPassword:: e1NTSEF9a01UUDdSd01BYXRuUURXdXN5OWNPRzBEWWlYZFBRTm14MHlNVWc9PQ== uid: 29383a67-9279-4aa8-a75b-cfbf901578fc
- Use
ldappasswd
to set the user's password based on the user's uid:ldappasswd -h LDAP_IP -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord \ "uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com"
You are prompted for the OpenLDAP admin password.
The user can now log in by using newPassWord.
Manually set OpenLDAP system password
Resetting Edge passwords describes how to change the OpenLDAP system password but requires that you know the existing password. If you have lost that password, you can use the following procedure to reset it.
- Use
slappasswd
to create the SSHA encrypted password for a new password:slappasswd -h {SSHA} -s newPassWord
This command returns a string in the form:
{SSHA}+DOup9d6l+czfWzkIvajwYPArjPurhS6
- Open the
/opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
file in an editor:vi /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
- Find the line in the form:
olcRootPW:: OldPasswordString
- Replace OldPasswordString with the string returned from
slappasswd
. If there are 2 colons afterolcRootPw
, remove one and ensure there is a space after the colon:olcRootPW: {SSHA}RGon+bLCe+Sk+HyHholFBj8ONQfabrhw
- Restart OpenLDAP:
/opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart
- Check using
ldapsearch
if your new password works:ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389
You are prompted for the OpenLDAP admin password.
- Repeat these steps on any other OpenLDAP servers that are being used for replication.
- Update the Management Server to use the new password:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPassWord
Manually set Edge admin password
Resetting Edge Passwords describes how to change the Edge system password but requires that you know the existing password. If you have lost the Edge system password, you can use the following procedure to reset it.
- On the UI node, stop the Edge UI:
/opt/apigee/apigee-service/bin/apigee-service edge-ui stop
- Use
ldappasswd
to set the Edge sys admin password:ldappasswd -h localhost -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord \ "uid=admin,ou=users,ou=global,dc=apigee,dc=com"
You are prompted for the OpenLDAP admin password.
- Update the config file that you used to install the Edge UI with the new Edge system
password:
APIGEE_ADMINPW=newPassWord
- Configure and restart the Edge UI:
/opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
- (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.
Delete SLAPD lock file
If you get an error when trying to start OpenLDAP that the slapd.pid
lock file
exists, you can delete the file.
The file is located in /opt/apigee/apigee-openldap/var/run/slapd.pid
. Delete the
file and try to restart OpenLDAP:
/opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart
If OpenLDAP does not start, try starting it in debug mode and check for errors:
slapd -h ldap://:10389/ -u apigee -d 255 -F /opt/apigee/data/apigee-openldap/slapd.d
Errors may point to resource issues, memory, or CPU utilization issues.
Troubleshooting OpenLDAP replication problems
If your installation uses multiple OpenLDAP servers, you can check the replication settings to ensure that they servers are functioning properly.
- Ensure that
ldapsearch
returns data from each OpenLDAP server:ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389
You are prompted for the OpenLDAP admin password.
- Check the replication configuration by examining the
/opt/apigee/conf/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
file. - Make sure the system password is the same on each OpenLDAP server.
- Check iptables and tcp wrapper settings.