From 14.07 onwards we have included pwpolicy for openldap in our OPDK.

There is a possibility that the users (sysadmin and default users ) might get expired as we dont have a mechanism to alert regarding the password expiry. If the sysadmin gets locked out there is no easy way to recover from it.

The default timeout is set to pwdMaxAge 2592000. This is equivalent to 30 days. ( convert from secs to days)

In order to avoid this we can disable just the lockout for sysadmin and default users by using the below script.

echo "Please enter your LDAP password"
#read -s PASSWORD


while IFS= read -r -s -n1 ldappw; do
  if [[ -z $ldappw ]]; then
     echo
     break
  else
     echo -n '*'
     password+=$ldappw
  fi
done








echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_default_MaxAge.ldif


ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_MaxAge.ldif


echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_default_Lockout.ldif


ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_Lockout.ldif


echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_sysadmin_MaxAge.ldif




ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_MaxAge.ldif


echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_sysadmin_Lockout.ldif




ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_Lockout.ldif


#sleep 10


rm -rf ./cn_*.ldif

The above script will prevent lockout of sysadmin and default users.

This script has to be run on ldap server box on OPDK.