{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Private Cloud Deployment /
avatar image
11

Have you installed OPDK, versions 15.0x, 16.01, 16.05, 16.09 ? Important information about your password policy.  

  • Export to PDF
Dino   created · Apr 08, 2016 at 02:36 AM · 3.6k Views · Dino-at-Google edited · Mar 13, 2019 at 06:24 PM

First: the following information affects you only if you are managing your own Edge cluster, on your own Linux VMs, and you are using a fresh installation of v4.15.0x, v4.16.01, v4.16.05, or v4.16.09. If you are using the Apigee-managed Edge cloud service, this information does not affect you. If you are using an older version of Edge Private Cloud, this does not affect you.

The openldap installation in Apigee Edge Private Cloud (aka "OPDK") for those versions enforces a maximum password age of 30 days. In some versions of the documentation for Edge Private Cloud, there is a statement that Edge does not enforce any password age limit. For example, see p. 38 of the Operations Guide for v16.01. But that statement is incorrect. The LDAP Server in Edge does enforce a password age.

In the actual configuration of openldap, the passwords for the users you use to login to Apigee Edge … will expire, exactly 30 days after the user has been created, or 30 days after the user has reset his or her password. An expired password means the user will not be able to login to the Apigee Administrative portal.

To see if this problem affects you, or just to examine the password age policy for fun, login to the machine that runs the openldap server in your Edge OPDK installation. Then run this command:

ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -W -b "cn=default,ou=pwpolicies,dc=apigee,dc=com"

You will be prompted for the LDAP admin password. You should know this; supply it. The output of that command will look something like this:

# extended LDIF
#
# LDAPv3
# base <cn=default,ou=pwpolicies,dc=apigee,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# default, pwpolicies, apigee.com
dn: cn=default,ou=pwpolicies,dc=apigee,dc=com
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
sn: dummy value
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdFailureCountInterval: 300
pwdMaxAge: 2592000
pwdMaxFailure: 3
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Notice the line that shows pwdMaxAge: 2592000 in the above. I'm not a math genius, but I think that 2592000 / 86400 (which is the number of seconds in a day) = 30. That means passwords expire after 30 days.

You may wish to lift the password age restriction. (Recent research supports the idea that password expiration policies don't raise security, and may lead to weaker passwords.)

To eliminate the max password age, in other words to set the LDAP server so that passwords don't expire, you can run the following two commands:

echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0\n" > /tmp/max-age-reset.ldif
ldapmodify  -H ldap://localhost:10389 -W -x -D "cn=manager,dc=apigee,dc=com" -f /tmp/max-age-reset.ldif

If you want to just RAISE the password age, substitute your value in seconds for the value of 0 in the above example.

In either case, once again, you will be asked to supply your LDAP admin password.

OK, that will change the password policy, BUT, this policy will govern all user accounts that get created, or all accounts for which passwords are set or reset, from that point onward.

Any user accounts that were created between the time you installed OPDK 16.01 and the time you modified the pwdMaxAge policy, will be governed by the policy that was in place at the time the user's password was set. Which means, those users will see their passwords expire after 30 days.

To fix THAT problem you may wish to use this command to forcibly reset a user's password.

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=users,ou=global,dc=apigee,dc=com"

You must replace the string LDAP_UUID_OF_ACCOUNT with the actual uid for the user in question. What is that uid? you are surely wondering. Well I don't know. But you can find out, by first running the ldapsearch command shown here:

 ldapsearch -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -b "ou=users,ou=global,dc=apigee,dc=com"

This will show you the accounts in your openldap server, and all of their uids. You may set passwords for all of them using repeated invocations of the ldappasswd command shown above.

Finally, I believe that if you have an SMTP server set up properly, then Apigee Edge will send out an email notifying people that their passwords will soon expire, along with a link they can click to reset the password on their own. This also works. The steps I described above are useful if you don't have the SMTP set up, or ... if you'd like to avoid the problem completely.

thub.nodes.view.add-new-comment
Private Cloudldap16.01password16.05
Add comment Show 16
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Dino ♦♦   · Apr 08, 2016 at 02:38 AM 0
Link

@archendra @bwarren @jhunt@apigee.com @Maruti Chand @sgilson

making sure you are aware.

avatar image Kurt Googler Kanaskie ♦ · Apr 08, 2016 at 04:08 PM 0
Link

Great write up, thanks!

A good reason to integrate with an existing external LDAP.

avatar image Jason Harrington · Apr 08, 2016 at 06:26 PM 2
Link

Thank you for the heads-up, @Dino!

I believe this issue may have occurred earlier in the release history.

I ran into 30 day default on a new OPDK 4.15.07.01 cluster. (Opened a support case, everyone shook heads and moved on.)

Thank you for the check/fix alternative! Mine was a bit more...hands-on. ;)

avatar image Benjamin Goldman · Apr 08, 2016 at 08:22 PM 0
Link

This also happened in 15.01 or 15.03 (i forget which one)

....

avatar image Benjamin Goldman · Apr 08, 2016 at 08:24 PM 2
Link

Anyway @dino Thanks for this post. I want to encourage you guys to maybe tag - 16.01 install issues in a way that I can collect them for my own profit later this month....

avatar image birute@google.com ♦♦ Benjamin Goldman   · Apr 08, 2016 at 08:56 PM 1
Link

Great suggestion @Benjamin Goldman! Let's start using versions as tags.

avatar image Benjamin Goldman birute@google.com ♦♦ · Apr 14, 2016 at 08:33 PM 0
Link

we have two sets of tags:

4.16.01

and

16.01

and for some reason i cant add tags anymore.

avatar image Dino ♦♦ Benjamin Goldman   · Apr 10, 2016 at 07:50 PM 0
Link

:thumbsup:

avatar image David Ryan · Apr 27, 2016 at 03:43 PM 1
Link

@Dino - Just one correction under "to fix that problem", the directory path is missing the ou=users part.

Above:

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=global,dc=apigee,dc=com"

Shoud be:

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=users,ou=global,dc=apigee,dc=com"
avatar image Dino ♦♦ David Ryan   · Apr 27, 2016 at 05:34 PM 0
Link

Thanks David, I will fix that right now!

avatar image Benjamin Goldman · Jun 30, 2016 at 06:17 PM 0
Link

@Dino quick note:

if you are a 15.x customer on prem, and have already resolved this in your install, and upgrade, it appears as if the fix makes it through an upgrade.

note: this does not necessarily mean you are safe upgrading! It just means i was - because I had resolved this earlier.

avatar image divyaachan ♦ · Aug 24, 2016 at 06:20 AM 0
Link

@Dino can you change the subject of this article to reflect the other private cloud versions as well that are affected. These are 15.X.

avatar image Dino ♦♦ divyaachan ♦   · Sep 07, 2016 at 03:49 PM 0
Link

done. Thanks Divya.

avatar image Sadiq Hussain · May 19, 2017 at 03:09 AM 0
Link

@Dino Does it work for the systems which have been upgraded right from v4.14.x to v4.15.x?

Thank you in advance.

avatar image Dario Bertini ♦ · Jul 25, 2018 at 03:26 PM 0
Link

Any user accounts created between the time you installed OPDK 16.01 and the time you modified the pwdMaxAge policy, will be governed by the policy in place at the time the user's password was set. Which means, those users will see their passwords expire after 30 days.

At least since 17.09, this is not correct. Updating the password policy will immediately expire/unexpire user credentials

Show more comments

Article

Contributors

avatar image avatar image avatar image

Follow this article

26 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

Have you installed OPDK, versions 15.0x, 16.01, 16.05, 16.09 ? Important information about your password policy.

Related Articles

Who can perform the Edge 4.16.01 install and configuration

Video of an Edge Private Cloud AIO Install for 4.16.01

Setup SSL for Apigee Developer Portal: Private Cloud

yum failing after epel enabled

OPDK Support for TLSv1.1 and TLSv1.2

Why is my On-Premises / Private Cloud Apigee server consuming so much RAM? (a.k.a. Are "free -m" and/or "top" giving me accurate information for my On-Premises / Private Cloud Apigee installation?)

Newly added users are not able to reset their passwords using Apigee Private Cloud

Qpid installation fails due qpid-proton dependency in Edge OnPrem 4.18.01

Set the expiration time for links in Private Cloud activation emails

all-status.sh reports incorrect status of slapd after system reboot

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Articles
  • Ideas
  • Badges