Managing the default LDAP password policy for API management

The Apigee system uses OpenLDAP to authenticate users in your API management environment. OpenLDAP makes this LDAP password policy functionality available.

This section describes how to configure the delivered default LDAP password policy. Use this password policy to configure various password authentication options, such as the number of consecutive failed login attempts after which a password can no longer be used to authenticate a user to the directory.

This section also describes how to use a couple of APIs to unlock user accounts that have been locked according to attributes configured in the default password policy.

For additional information, see:

Configuring the default LDAP password policy

This section explains how to configure the default LDAP password policy for:

Configuring the default LDAP password policy for Edge users and the original sysadmin

To configure the default LDAP password policy for Edge users and the original sysadmin:

  1. Connect to your LDAP server using an LDAP client, such as Apache Studio or ldapmodify. By default OpenLDAP server listens on port 10389 on the OpenLDAP node.

    To connect, specify the Bind DN or user of cn=manager,dc=apigee,dc=com and the OpenLDAP password that you set at the time of Edge installation.

  2. Use the client to navigate to the password policy attributes for:
  3. Edit the password policy attribute values as desired.
  4. Save the configuration.

Configuring the LDAP password policy for additional sysadmins

When you add sysadmin users to Edge, they inherit the default password policy, rather than the sysadmin password policy of the original sysadmin. The default password policy expires after a certain amount of time unless configured to do otherwise. To set the additional sysadmin users' password policy so that it won't expire, follow these steps:

  1. Find the dn all sysadmins by running this command:
    ldapsearch -x -W -D "cn=manager,dc=apigee,dc=com" -H "ldap://:10389" -b "cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com" -s base
     -LLL

    The output shows the sysadmin users as roleOccupant:

    dn: cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com
    objectClass: organizationalRole
    objectClass: top
    cn: sysadmin
    roleOccupant: uid=admin,ou=users,ou=global,dc=apigee,dc=com
    roleOccupant: uid=2a0056b4-5c62-49de-8fb3-925ch67a3e45,ou=users,ou=global,dc=apigee,dc=com
  2. Create a new file named ppchange.ldif and add the following to it (replacing the dn of your own sysadmin user):
    dn: uid=new-sysadmin-uid,ou=users,ou=global,dc=apigee,dc=com
    changetype: modify
    add: pwdPolicySubentry
    pwdPolicySubentry: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
  3. Modify the user by entering the following command:
    ldapmodify -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ppchange.ldif
  4. Verify the change with the ldap search command:
    ldapsearch -x -W -D "cn=manager,dc=apigee,dc=com" -H "ldap://:10389" -b "uid=new-sysadmin-uid,ou=users,ou=global,dc=apigee,dc=com" -s base -LLL pwdPolicySubentry

    The output would show the addition of the pwdPolicySubentry:

    dn: uid=new-admin-uid,ou=users,ou=global,dc=apigee,dc=com
    pwdPolicySubentry: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com
  5. Repeat step 2 through 4 for each sysadmin.

Default LDAP Password Policy Attributes

Attribute Description Default
pwdExpireWarning
The maximum number of seconds before a password is due to expire that expiration warning messages will be returned to a user who is authenticating to the directory.

604800

(Equivalent to 7 days)

pwdFailureCountInterval

Number of seconds after which old consecutive failed bind attempts are purged from the failure counter.

In other words, this is the number of seconds after which the count of consecutive failed login attempts is reset.

If pwdFailureCountInterval is set to 0, only a successful authentication can reset the counter.

If pwdFailureCountInterval is set to >0, the attribute defines a duration after which the count of consecutive failed login attempts is automatically reset, even if no successful authentication has occurred.

We suggest that this attribute be set to the same value as the pwdLockoutDuration attribute.

300
pwdInHistory

Maximum number of used, or past, passwords for a user that will be stored in the pwdHistory attribute.

When changing her password, the user will be blocked from changing it to any of her past passwords.

3
pwdLockout

If TRUE, specifies to lock out a user when their password expires so that the user can no longer log in.

False
pwdLockoutDuration

Number of seconds during which a password cannot be used to authenticate the user due to too many consecutive failed login attempts.

In other words, this is the length of time during which a user account will remain locked due to exceeding the number of consecutive failed login attempts set by the pwdMaxFailure attribute.

If pwdLockoutDuration is set to 0, the user account will remain locked until a system administrator unlocks it.

See Unlocking a user account.

If pwdLockoutDuration is set to >0, the attribute defines a duration for which the user account will remain locked. When this time period has elapsed, the user account will be automatically unlocked.

We suggest that this attribute be set to the same value as the pwdFailureCountInterval attribute.

300
pwdMaxAge

Number of seconds after which a user (non-sysadmin) password expires. A value of 0 means passwords do not expire. The default value of 2592000 corresponds to 30 days from the time the password was created.

user: 2592000

sysadmin: 0

pwdMaxFailure

Number of consecutive failed login attempts after which a password may not be used to authenticate a user to the directory.

3
pwdMinLength

Specifies the minimum number of characters required when setting a password.

8

Unlocking a User Account

A user's account may be locked due to attributes set in the password policy. A user with the sysadmin Apigee role assigned can use the following API call to unlock the user's account. Replace userEmail, adminEmail, and password with actual values.

To unlock a user:

/v1/users/userEmail/status?action=unlock -X POST -u adminEmail:password