Have you installed OPDK, versions 15.0x, 16.01, 16.05, 16.09 ? Important information about your password policy.  

First: the following information affects you only if you are managing your own Edge cluster, on your own Linux VMs, and you are using a fresh installation of v4.15.0x, v4.16.01, v4.16.05, or v4.16.09. If you are using the Apigee-managed Edge cloud service, this information does not affect you. If you are using an older version of Edge Private Cloud, this does not affect you.

The openldap installation in Apigee Edge Private Cloud (aka "OPDK") for those versions enforces a maximum password age of 30 days. In some versions of the documentation for Edge Private Cloud, there is a statement that Edge does not enforce any password age limit. For example, see p. 38 of the Operations Guide for v16.01. But that statement is incorrect. The LDAP Server in Edge does enforce a password age.

In the actual configuration of openldap, the passwords for the users you use to login to Apigee Edge … will expire, exactly 30 days after the user has been created, or 30 days after the user has reset his or her password. An expired password means the user will not be able to login to the Apigee Administrative portal.

To see if this problem affects you, or just to examine the password age policy for fun, login to the machine that runs the openldap server in your Edge OPDK installation. Then run this command:

ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -W -b "cn=default,ou=pwpolicies,dc=apigee,dc=com"

You will be prompted for the LDAP admin password. You should know this; supply it. The output of that command will look something like this:

# extended LDIF
#
# LDAPv3
# base <cn=default,ou=pwpolicies,dc=apigee,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# default, pwpolicies, apigee.com
dn: cn=default,ou=pwpolicies,dc=apigee,dc=com
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
sn: dummy value
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdFailureCountInterval: 300
pwdMaxAge: 2592000
pwdMaxFailure: 3
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Notice the line that shows pwdMaxAge: 2592000 in the above. I'm not a math genius, but I think that 2592000 / 86400 (which is the number of seconds in a day) = 30. That means passwords expire after 30 days.

You may wish to lift the password age restriction. (Recent research supports the idea that password expiration policies don't raise security, and may lead to weaker passwords.)

To eliminate the max password age, in other words to set the LDAP server so that passwords don't expire, you can run the following two commands:

echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0\n" > /tmp/max-age-reset.ldif
ldapmodify  -H ldap://localhost:10389 -W -x -D "cn=manager,dc=apigee,dc=com" -f /tmp/max-age-reset.ldif

If you want to just RAISE the password age, substitute your value in seconds for the value of 0 in the above example.

In either case, once again, you will be asked to supply your LDAP admin password.

OK, that will change the password policy, BUT, this policy will govern all user accounts that get created, or all accounts for which passwords are set or reset, from that point onward.

Any user accounts that were created between the time you installed OPDK 16.01 and the time you modified the pwdMaxAge policy, will be governed by the policy that was in place at the time the user's password was set. Which means, those users will see their passwords expire after 30 days.

To fix THAT problem you may wish to use this command to forcibly reset a user's password.

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=users,ou=global,dc=apigee,dc=com"

You must replace the string LDAP_UUID_OF_ACCOUNT with the actual uid for the user in question. What is that uid? you are surely wondering. Well I don't know. But you can find out, by first running the ldapsearch command shown here:

 ldapsearch -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -b "ou=users,ou=global,dc=apigee,dc=com"

This will show you the accounts in your openldap server, and all of their uids. You may set passwords for all of them using repeated invocations of the ldappasswd command shown above.

Finally, I believe that if you have an SMTP server set up properly, then Apigee Edge will send out an email notifying people that their passwords will soon expire, along with a link they can click to reset the password on their own. This also works. The steps I described above are useful if you don't have the SMTP set up, or ... if you'd like to avoid the problem completely.