The Apigee system uses OpenLDAP to authenticate users in your API management environment. OpenLDAP makes this LDAP password policy functionality available.
This section describes how to configure the delivered default LDAP password policy. Use this password policy to configure various password authentication options, such as the number of consecutive failed login attempts after which a password can no longer be used to authenticate a user to the directory.
This section also describes how to use a couple of APIs to unlock user accounts that have been locked according to attributes configured in the default password policy.
For additional information, see:
Configuring the default LDAP password policy
This section explains how to configure the default LDAP password policy for:
Configuring the default LDAP password policy for Edge users and the original sysadmin
To configure the default LDAP password policy for Edge users and the original sysadmin:
- Connect to your LDAP server using an LDAP client, such as Apache Studio or ldapmodify. By
default OpenLDAP server listens on port 10389 on the OpenLDAP node.
To connect, specify the Bind DN or user of
cn=manager,dc=apigee,dc=comand the OpenLDAP password that you set at the time of Edge installation. - Use the client to navigate to the password policy attributes for:
- Edge users:
cn=default,ou=pwpolicies,dc=apigee,dc=com - The original Edge sysadmin:
cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
Note: To configure the LDAP password policy for additional sysadmins (other than the original sysadmin), the Configuring the LDAP password policy for additional sysadmins below.
- Edge users:
- Edit the password policy attribute values as desired.
- Save the configuration.
Configuring the LDAP password policy for additional sysadmins
When you add sysadmin users to Edge, they inherit the default password policy, rather than the sysadmin password policy of the original sysadmin. The default password policy expires after a certain amount of time unless configured to do otherwise. To set the additional sysadmin users' password policy so that it won't expire, follow these steps:
- Find the
dnall sysadmins by running this command:ldapsearch -x -W -D "cn=manager,dc=apigee,dc=com" -H "ldap://:10389" -b "cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com" -s base -LLL
The output shows the sysadmin users as
roleOccupant:dn: cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com objectClass: organizationalRole objectClass: top cn: sysadmin roleOccupant: uid=admin,ou=users,ou=global,dc=apigee,dc=com roleOccupant: uid=2a0056b4-5c62-49de-8fb3-925ch67a3e45,ou=users,ou=global,dc=apigee,dc=com
- Create a new file named
ppchange.ldifand add the following to it (replacing the dn of your own sysadmin user):dn: uid=new-sysadmin-uid,ou=users,ou=global,dc=apigee,dc=com changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
- Modify the user by entering the following command:
ldapmodify -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ppchange.ldif
- Verify the change with the
ldapsearch command:ldapsearch -x -W -D "cn=manager,dc=apigee,dc=com" -H "ldap://:10389" -b "uid=new-sysadmin-uid,ou=users,ou=global,dc=apigee,dc=com" -s base -LLL pwdPolicySubentry
The output would show the addition of the
pwdPolicySubentry:dn: uid=new-admin-uid,ou=users,ou=global,dc=apigee,dc=com pwdPolicySubentry: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
- Repeat step 2 through 4 for each sysadmin.
Default LDAP Password Policy Attributes
| Attribute | Description | Default |
|---|---|---|
pwdExpireWarning |
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory. |
604800 (Equivalent to 7 days) |
pwdFailureCountInterval |
Number of seconds after which old consecutive failed bind attempts are purged from the failure counter. In other words, this is the number of seconds after which the count of consecutive failed login attempts is reset. If If We suggest that this attribute be set to the same value as the
|
300 |
pwdInHistory |
Maximum number of used, or past, passwords for a user that will be stored in the
When changing her password, the user will be blocked from changing it to any of her past passwords. |
3 |
pwdLockout |
If |
False |
pwdLockoutDuration |
Number of seconds during which a password cannot be used to authenticate the user due to too many consecutive failed login attempts. In other words, this is the length of time during which a user account will remain
locked due to exceeding the number of consecutive failed login attempts set by the
If If We suggest that this attribute be set to the same value as the
|
300 |
pwdMaxAge |
Number of seconds after which a user (non-sysadmin) password expires. A value of 0 means passwords do not expire. The default value of 2592000 corresponds to 30 days from the time the password was created. |
user: 2592000 sysadmin: 0 |
pwdMaxFailure |
Number of consecutive failed login attempts after which a password may not be used to authenticate a user to the directory. |
3 |
pwdMinLength |
Specifies the minimum number of characters required when setting a password. |
8 |
Unlocking a User Account
A user's account may be locked due to attributes set in the password policy. A user with the sysadmin Apigee role assigned can use the following API call to unlock the user's account. Replace userEmail, adminEmail, and password with actual values.
To unlock a user:
/v1/users/userEmail/status?action=unlock -X POST -u adminEmail:password