OpenLDAP maintenance tasks

Log file location

OpenLDAP log files are contained in the directory /opt/apigee/var/log. These files can be periodically archived and removed in order to ensure that they do not take up excessive disk space. Information on maintaining, archiving and removing OpenLDAP logs can be found in Section 19.2 of the OpenLDAP manual at http://www.openldap.org/doc/admin24/maintenance.html.

Manually set a user's password

User's can request a new Edge password in the Edge UI. The user then receives an email with information about setting a password. However, if your SMTP server is down, or the user cannot receive an email for any reason, you can manually set the user's password by using OpenLDAP commands.

To set a user's password:

  1. Use ldapsearch to download user information: 
    ldapsearch -w ldapAdminPWord -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389 > ldap.txt
  2. Search the ldap.txt file for the user's email address. You should see a block in the form: 
    dn: uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com
mail: foo@bar.com
userPassword:: e1NTSEF9a01UUDdSd01BYXRuUURXdXN5OWNPRzBEWWlYZFBRTm14MHlNVWc9PQ==
uid: 29383a67-9279-4aa8-a75b-cfbf901578fc
  3. Use ldappasswd to set the user's password based on the user's uid: 
    ldappasswd -h LDAP_IP -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord \
  "uid=29383a67-9279-4aa8-a75b-cfbf901578fc,ou=users,ou=global,dc=apigee,dc=com"

    You are prompted for the OpenLDAP admin password.

The user can now log in by using newPassWord.

Manually set OpenLDAP system password

Resetting Edge passwords describes how to change the OpenLDAP system password but requires that you know the existing password. If you have lost that password, you can use the following procedure to reset it.

  1. Use slappasswd to create the SSHA encrypted password for a new password: 
    slappasswd -h {SSHA} -s newPassWord

    This command returns a string in the form: 

    {SSHA}+DOup9d6l+czfWzkIvajwYPArjPurhS6
  2. Open the /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file in an editor: 
    vi /opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif
  3. Find the line in the form: 
    olcRootPW:: OldPasswordString
  4. Replace OldPasswordString with the string returned from slappasswd. If there are 2 colons after olcRootPw, remove one and ensure there is a space after the colon: 
    olcRootPW: {SSHA}RGon+bLCe+Sk+HyHholFBj8ONQfabrhw
  5. Restart OpenLDAP: 
    /opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart
  6. Check using ldapsearch if your new password works: 
    ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389

    You are prompted for the OpenLDAP admin password.

  7. Repeat these steps on any other OpenLDAP servers that are being used for replication.
  8. Update the Management Server to use the new password: 
    /opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPassWord

Manually set Edge admin password

Resetting Edge Passwords describes how to change the Edge system password but requires that you know the existing password. If you have lost the Edge system password, you can use the following procedure to reset it.

  1. On the UI node, stop the Edge UI: 
    /opt/apigee/apigee-service/bin/apigee-service edge-ui stop
  2. Use ldappasswd to set the Edge sys admin password: 
    ldappasswd -h localhost -p 10389 -D "cn=manager,dc=apigee,dc=com" -W -s newPassWord \
  "uid=admin,ou=users,ou=global,dc=apigee,dc=com"

    You are prompted for the OpenLDAP admin password.

  3. Update the config file that you used to install the Edge UI with the new Edge system password: 
    APIGEE_ADMINPW=newPassWord
  4. Configure and restart the Edge UI: 
    /opt/apigee/apigee-setup/bin/setup.sh -p ui -f configFile
  5. (Only if TLS is enabled on the UI) Re-enable TLS on the Edge UI as described in Configuring TLS for the management UI.

Delete SLAPD lock file

If you get an error when trying to start OpenLDAP that the slapd.pid lock file exists, you can delete the file.

The file is located in /opt/apigee/apigee-openldap/var/run/slapd.pid. Delete the file and try to restart OpenLDAP:

/opt/apigee/apigee-service/bin/apigee-service apigee-openldap restart

If OpenLDAP does not start, try starting it in debug mode and check for errors:

slapd -h ldap://:10389/ -u apigee -d 255 -F /opt/apigee/data/apigee-openldap/slapd.d

Errors may point to resource issues, memory, or CPU utilization issues.

Modifying OpenLDAP replication

This section explains how to modify OpenLDAP replication.

Perform the steps in the following procedure on the OpenLDAP replicator node, which replicates its data to the other OpenLDAP node. For example, if you are setting replication from node1 to node2, run the commands on node1.

  1. Check the present state: 
    ldapsearch -H ldap://{HOST}:{PORT} -LLL -x -b "cn=config" -D "cn=admin,cn=config" -w {PASSWORD} -o ldif-wrap=no 'olcSyncRepl' | grep olcSyncrepl

    The output should be similar to the following:

    olcSyncrepl: {0}rid=001 provider=ldap://{HOST}:{PORT}/ binddn="cn=manager,dc=apigee,dc=com" bindmethod=simple credentials={PASSWORD} searchbase="dc=apigee,dc=com" attrs="*,+" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1
  2. Create a file repl.lidf and paste the following commands into the file: 
    dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSyncRepl
    olcSyncRepl: rid=001
    provider=ldap://{NEW_HOST}:{PORT}/
    binddn="cn=manager,dc=apigee,dc=com"
    bindmethod=simple
    credentials={PASSWORD}
    searchbase="dc=apigee,dc=com"
    attrs="*,+"
    type=refreshAndPersist
    retry="60 1 300 12 7200 +"
    timeout=1

    Make sure you replace appropriate value for the following placeholders:

    • {NEW_HOST}: The new OpenLDAP host, to which you are planning to replicate.
    • {PORT}: The OpenLDAP port. The default port is 10389.
    • {PASSWORD}: The OpenLDAP password.
  3. Run the ldapmodify command: 
    ldapmodify -x -w {PASSWORD} -D "cn=admin,cn=config" -H "ldap://{HOST}:{PORT}/" -f repl.ldif
    
    The output should be similar to the following:
    
    
    modifying entry "olcDatabase={2}bdb,cn=config"
  4. Verify replication: 
    ldapsearch -H ldap://{HOST}:{PORT} -LLL -x -b "cn=config" -D "cn=admin,cn=config" -w {PASSWORD} -o ldif-wrap=no 'olcSyncRepl' | grep olcSyncrepl

    The output should be similar to the following: 

    olcSyncrepl: {0}rid=001 provider=ldap://{NEW_HOST}:{PORT}/ binddn="cn=manager,dc=apigee,dc=com" bindmethod=simple credentials={PASSWORD} searchbase="dc=apigee,dc=com" attrs="*,+" type=refreshAndPersist retry="60 1 300 12 7200 +" timeout=1

    You can verify that replication is working correctly by reading and comparing the contextCSN value from each server and ensuring that they match.

    ldapsearch -w {PASSWORD} -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h localhost -p 10389 contextCSN | grep contextCSN

Troubleshooting OpenLDAP replication problems

If your installation uses multiple OpenLDAP servers, you can check the replication settings to ensure that they servers are functioning properly.

  1. Ensure that ldapsearch returns data from each OpenLDAP server: 
    ldapsearch -W -D "cn=manager,dc=apigee,dc=com" -b "dc=apigee,dc=com" -LLL -h LDAP_IP -p 10389

    You are prompted for the OpenLDAP admin password.

  2. Check the replication configuration by examining the /opt/apigee/conf/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif file.
  3. Make sure the system password is the same on each OpenLDAP server.
  4. Check iptables and tcp wrapper settings.