From 14.07 onwards we have included pwpolicy for openldap in our OPDK.
There is a possibility that the users (sysadmin and default users ) might get expired as we dont have a mechanism to alert regarding the password expiry. If the sysadmin gets locked out there is no easy way to recover from it.
The default timeout is set to pwdMaxAge 2592000. This is equivalent to 30 days. ( convert from secs to days)
In order to avoid this we can disable just the lockout for sysadmin and default users by using the below script.
echo "Please enter your LDAP password" #read -s PASSWORD while IFS= read -r -s -n1 ldappw; do if [[ -z $ldappw ]]; then echo break else echo -n '*' password+=$ldappw fi done echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_default_MaxAge.ldif ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_MaxAge.ldif echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_default_Lockout.ldif ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_Lockout.ldif echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_sysadmin_MaxAge.ldif ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_MaxAge.ldif echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_sysadmin_Lockout.ldif ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_Lockout.ldif #sleep 10 rm -rf ./cn_*.ldif
The above script will prevent lockout of sysadmin and default users.
This script has to be run on ldap server box on OPDK.
Thank you for this. Since the 1404 release notes this has been worrying my team. This script is also provided in the 1404 private cloud distribution.