PLEASE NOTE: all Passwords and UUIDs below have been obfuscated; even if they are decodable, they are invalid. I merely left the "appearance of" them for clarity.
The following assumes you are running 4.16.09 or later (without SAML integration), and running the commands from the VM hosting openldap. Alternatively, you could modify the commands to run from another VM which can communicate with your openldap server on port 10389.
First, set your ldap password for this session, making sure to prevent it from being written to Bash history:
set +o history ldappassword=YOUR_LDAP_PASSWORD set -o history
Then, use ldapsearch to obtain your current pw policies:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w $ldappassword -b "ou=pwpolicies,dc=apigee,dc=com"
Copy the default policy and paste into a file called /tmp/addpwpolicy. Modify it accordingly:
# nopwexpiry, pwpolicies, apigee.com dn: cn=nopwexpiry,ou=pwpolicies,dc=apigee,dc=com objectClass: person objectClass: pwdPolicy objectClass: top cn: nopwexpiry pwdAttribute: userPassword sn: dummy value pwdExpireWarning: 17200 pwdInHistory: 3 pwdLockout: FALSE pwdLockoutDuration: 60 pwdMaxAge: 0 pwdMaxFailure: 3 pwdMinLength: 8
Add the policy to openldap:
ldapadd -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f /tmp/addpwpolicy
At this point, if you haven't done so already, create the new orgadmin user through the standard process using apigee-service (see here: http://docs.apigee.com/private-cloud/latest/onboard-organization ).
We have now added the pw policy. Next, we must apply it to the proper user.
First, find the user using a new ldapsearch query:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w $ldappassword -b "ou=users,ou=global,dc=apigee,dc=com"
The above will return all users in your openldap. Find the user in question, it will look something like:
# 2d071251-c004-4c88-8a73-d6f0859a1a10, users, global, apigee.com dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=c om uid: 2d071251-c004-4c88-8a73-d6f0859a1a10 objectClass: inetOrgPerson cn: First sn: Last mail: firstlast@apigee.com userPassword:: e1NTSEF9Nkl1BUV4VGFzOFVHY0FBRWxHaVo5aMLYdnhRMFhoQXY=
Next, we will modify that user in openldap. Create a new file, /tmp/modifyuser:
dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com changetype: modify replace: pwdPolicySubentry pwdPolicySubentry: cn=nopwexpiry,ou=pwpolicies,dc=apigee,dc=com
Then modify the user with the above:
ldapmodify -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f /tmp/modifyuser
Next, verify the pwdPolicySubentry was applied to the user:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w "$ldappassword" -b "uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com" "(uid=2d071251-c004-4c88-8a73-d6f0859a1a10)" pwdPolicySubentry
You should get back a response like:
# 2d071251-c004-4c88-8a73-d6f0859a1a10, users, global, apigee.com dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=c om pwdPolicySubentry: cn=nopwdexpiry,ou=pwpolicies,dc=apigee,dc=com
No restarts should be required. The only other thing you may need to consider is what to do if the password for user in question has already expired:
OPTIONAL:
ldappasswd -H ldap://localhost:10389 -D "cn=manager,dc=apigee,dc=com" -w "$ldappassword" "uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com"
Done!
Great stuff, Alex. See also, this related article.