This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

External Authentication Configuration and changing sysadmin credentials

Posted on 07-05-2017 11:07 PM
Not applicable
Reply posted on --/--/---- --:-- AM

I am implementing an external authentication with MS Active directory as per the updated document http://docs.apigee.com/sites/docs/files/ApigeeEdgePrivateCloud-ExtAuthConfig_v4.pdf. The version we use is 4.16.05.05 The configuration we are implementing is as follows:

1) Direct Binding

2) Secure connection to the Active Directory (SSL / LDAPS)

3) User is bind to SamAccountName

4) Email attribute is userPrincipalName

5) We have a new account in our Active Directory that we want to use as a Apigee sysadmin.

6) We have an ExternalRoleMapper class (see attached - ExternalRoleMapperImpl3.zip)

As we need to change the sysadmin credentials we started with this update first. The document says on page 16 that "If you configure your external LDAP to authenticate using a non-email address username and / or you have a different password in your external LDAP for this sysadmin user, then you will need to make the changes described in this section." The section has a silent config file properties like

ADMIN_EMAIL=newUser

APIGEE_ADMINPW=newPW

but it does not indicate where to put a new SamAccountName value for the new sysadmin user name. we tried to put the sysadmin user name into ADMIN_EMAIL as suggested by the document, however when we attempted to apply the silent config file to our Apigee Management server we got an error as below:

=============================================

sudo /opt/apigee/apigee-setup/bin/setup.sh -p ui -f integ_AD.txt INFO: running setup as root INFO: changing log location to /tmp/setup-root.log Using defaults from integ_AD.txt Service setup edge-ui Checking for required variables Checking required variable ADMIN_EMAIL...Unknown Checking for optional variables Found optional variable SKIP_SMTP...OK Found optional variable APIGEE_ADMINPW...OK Found optional variable SMTPHOST...OK Found optional variable SMTPPORT...OK Found optional variable SMTPSSL...OK Found optional variable SMTPUSER...OK Found optional variable SMTPPASSWORD...OK Error: setup.sh: /opt/apigee/apigee-service/bin/apigee-service exited with unexpected status 1 ==============================================

If we change the ADMIN_EMAIL value to the new sysadmin email address then the update command completed, as well as other configurations we need to do with the management-server.properties file. However attempts to log in into the Edge UI are unsuccessful - we got an "Internal error" error screen.

The tail of teh edge-management-server.log is as below: ===============================================

SUCCESSFULLY LOADED ESAPI.properties via the CLASSPATH from '/ (root)' using current thread context class loader! Attempting to load validation.properties via file I/O. Attempting to load validation.properties as resource file via file I/O. Not found in 'org.owasp.esapi.resources' directory or file not readable: /opt/validation.properties Not found in SystemResource Directory/resourceDirectory: .esapi/validation.properties Not found in 'user.home' (/opt/apigee) directory: /opt/apigee/esapi/validation.properties Loading validation.properties via file I/O failed. Attempting to load validation.properties via the classpath. SUCCESSFULLY LOADED validation.properties via the CLASSPATH from '/ (root)' using current thread context class loader! SecurityConfiguration for Encryptor.CipherTransformation not found in ESAPI.properties. Using default: AES/CBC/PKCS5Padding

===============================================

A documentation for a newer version of the Apigee v4.17.01 (http://docs.apigee.com/private-cloud/v4.17.01/configuration-required-different-sysadmin- credentials) suggested to use the utils.EncryptUtil and update ui.properties with new values for both username and password for the Apige sysadmin. We tried this approach too on our Apigee version 4.16.05.05 and on the first step

> java -cp "/opt/apigee/edge-ui/conf:/opt/apigee/edge-ui/lib/*" utils.EncryptUtil userName:PWord

we got an error as follows:

Error: Could not find or load main class utils.EncryptUtil

I suspect there are additional steps for 4.16.05.05 for the case when both username and password for the Apigee sysadmin to be changed. Can you please provide an advise on the errors we have and how we can configure a new Apigee sysadmin account located in our Active directory?

Thank you and best regards, Ivan

2 2 506
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

externalrolemapperimpl.zip

externalrolemapperimpl.zip
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

As per the discussion with Apigee support:

For this to work, you must have a sysadmin user email address in AD that maps to the one you set up in Apigee during the installation.

If this is not the case, you can create another sysadmin user with that email address. The following has instructions for setting up the user, and adding them to the systadmin role using api calls:

http://docs.apigee.com/private-cloud/latest/managing-users-roles-and-permissions

So it appears that an update of existing sysadmin was a wrong step, better to create a new user as per AD account then make it as a sysadmin. Then perform the rest of the configurations using new sysadmin account. I am yet to test this approach.

0 Likes