PLEASE NOTE: all Passwords and UUIDs below have been obfuscated; even if they are decodable, they are invalid. I merely left the "appearance of" them for clarity.
The following assumes you are running 4.16.09 or later (without SAML integration), and running the commands from the VM hosting openldap. Alternatively, you could modify the commands to run from another VM which can communicate with your openldap server on port 10389.
First, set your ldap password for this session, making sure to prevent it from being written to Bash history:
set +o history
ldappassword=YOUR_LDAP_PASSWORD
set -o history
Then, use ldapsearch to obtain your current pw policies:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w $ldappassword -b "ou=pwpolicies,dc=apigee,dc=com"
Copy the default policy and paste into a file called /tmp/addpwpolicy. Modify it accordingly:
# nopwexpiry, pwpolicies, apigee.com
dn: cn=nopwexpiry,ou=pwpolicies,dc=apigee,dc=com
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: nopwexpiry
pwdAttribute: userPassword
sn: dummy value
pwdExpireWarning: 17200
pwdInHistory: 3
pwdLockout: FALSE
pwdLockoutDuration: 60
pwdMaxAge: 0
pwdMaxFailure: 3
pwdMinLength: 8
Add the policy to openldap:
ldapadd -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f /tmp/addpwpolicy
At this point, if you haven't done so already, create the new orgadmin user through the standard process using apigee-service (see here: http://docs.apigee.com/private-cloud/latest/onboard-organization ).
We have now added the pw policy. Next, we must apply it to the proper user.
First, find the user using a new ldapsearch query:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w $ldappassword -b "ou=users,ou=global,dc=apigee,dc=com"
The above will return all users in your openldap. Find the user in question, it will look something like:
# 2d071251-c004-4c88-8a73-d6f0859a1a10, users, global, apigee.com
dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=c
om
uid: 2d071251-c004-4c88-8a73-d6f0859a1a10
objectClass: inetOrgPerson
cn: First
sn: Last
mail: firstlast@apigee.com
userPassword:: e1NTSEF9Nkl1BUV4VGFzOFVHY0FBRWxHaVo5aMLYdnhRMFhoQXY=
Next, we will modify that user in openldap. Create a new file, /tmp/modifyuser:
dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com
changetype: modify
replace: pwdPolicySubentry
pwdPolicySubentry: cn=nopwexpiry,ou=pwpolicies,dc=apigee,dc=com
Then modify the user with the above:
ldapmodify -x -w "$ldappassword" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f /tmp/modifyuser
Next, verify the pwdPolicySubentry was applied to the user:
ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -w "$ldappassword" -b "uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com" "(uid=2d071251-c004-4c88-8a73-d6f0859a1a10)" pwdPolicySubentry
You should get back a response like:
# 2d071251-c004-4c88-8a73-d6f0859a1a10, users, global, apigee.com
dn: uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=c
om
pwdPolicySubentry: cn=nopwdexpiry,ou=pwpolicies,dc=apigee,dc=com
No restarts should be required. The only other thing you may need to consider is what to do if the password for user in question has already expired:
OPTIONAL:
ldappasswd -H ldap://localhost:10389 -D "cn=manager,dc=apigee,dc=com" -w "$ldappassword" "uid=2d071251-c004-4c88-8a73-d6f0859a1a10,ou=users,ou=global,dc=apigee,dc=com"
Done!
LinkedIn
Twitter
