{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Adapter for Envoy
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • 日本語コミュニティ
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • Private Cloud Deployment /
avatar image
0
Question by testuser · Aug 09, 2017 at 06:25 AM · 4.3k Views private cloud deploymentprivate cloud inst

Edge private cloud 4.17.01 installation issue- Openldap issue

We are doing a 9 node Active - Active Cluster set up using two DC's (Each DC has 9 nodes).

1: I was able to install Casandra and Zookeeper on 3 node nodes of each Dc.Using following utility.

  • /opt/apigee/apigee-setup/bin/setup.sh -p ds -f /tmp/MyConf.

2: When We tried to install the Management Sever , Edge Ui And openldap. Using following utility we are getting below error and its terminating .

  • /opt/apigee/apigee-setup/bin/setup.sh -p ms -f /tmp/MyConf

3: OpenLdap seems to get installed when we run the status command, but other components don't as the utility is terminating

4: I tried installing using services but faced similar issue.More over management server wont come up.

Log after running the utility :

error-log.txt

Configuration file For DC1 :

config-file.txt

We never faced any issue with 1 Dc installation. Any insight will be highly appreciated..

error-log.txt (3.9 kB)
config-file.txt (2.8 kB)
Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

10 Answers

  • Sort: 
avatar image
3

Answer by RajeshMishra@Google · Aug 23, 2017 at 06:35 AM

/opt/apigee/apigee-service/bin/apigee-service apigee-openldap uninstall

#Get the openldap versions
rpm -qa | grep openldap
#Remove the openldap version 2.4.44

yum remove openldap-servers-2.4.44-5.el7.x86_64 
yum remove openldap-clients-2.4.44-5.el7.x86_64
yum remove openldap-2.4.44-5.el7.x86_64 (This may fail)


#Install the openldap 2.4.40 versions

yum downgrade openldap-2.4.40 
yum install openldap-2.4.40
yum install openldap-servers-2.4.40
yum install openldap-clients-2.4.40

Run the setup again.
Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Russell Blewitt ♦ · Aug 23, 2017 at 10:14 AM 0
Link

Be aware that upgrading the RPMs later can cause issues. So lock the OpenLDAP RPMs so they are not going to be upgraded later.

avatar image
1

Answer by Mauro Gonzalez · Sep 25, 2017 at 05:41 PM

Hi there @testuser and @Russell Blewitt,

I solved that issue during 4.17.05 installation running in Centos 7.3 downgrading the openldap version:

same here

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Christin Brown ♦ · Sep 25, 2017 at 05:57 PM 0
Link

yes we have seen this work but other clients can not downgrade due security vulnerabilities in Openldap hence need for the newer version

avatar image
1

Answer by Jason Mann · Oct 13, 2017 at 12:12 PM

Just in case it's useful to know - I did a deploy of 4.17.09 on RHEL 7.4 which includes opendlap 2.4.44 and the installation worked with no openldap errors. No downgrade was necessary and the schema validation issue did not arise - so it would appear to have been fixed (I would have expected to see this bug as a 'FIXED' in the release notes!)

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Christin Brown ♦ · Oct 13, 2017 at 12:32 PM 0
Link

@Stephen Gilson see above comment

avatar image Christin Brown ♦ · Oct 13, 2017 at 12:33 PM 0
Link

@Jason Mann you are correct and thanks for pointing out that you didn't see in the release notes

avatar image
0

Answer by ylesyuk · Aug 09, 2017 at 11:34 AM

The problem seems to be with the ldapadd command of the Importing ppolicy step.

Can, please, add

set -x

statement after the echo "Importing ppolicy olcOverlay" line in the /opt/apigee/apigee-openldap/lib/actions/setup shell script and re-run the setup?

This will print exact command that causes an 80 error. And we can then investigate it in isolation.


/opt/apigee/apigee-openldap/lib/actions/setup                                                                         4591/6510               70%

echo

echo "Set LDAP ROOTDN password"

echo




# Ignore Invalid credentials (49) error for idempotency, used only to change initial password

CHECKED_LDAP_CALL 49 \

"$APIGEE_SERVICE" apigee-openldap \

change-ldap-password -o secret -n "$APIGEE_LDAPPW" 2>/dev/null




echo "Importing ppolicy olcOverlay"

if [ "$(ldapsearch -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \

    -H "ldap://localhost:${LDAP_PORT}/" \

    -b "olcDatabase={2}bdb,cn=config"   \

    '(olcOverlay=ppolicy)' dn  | grep -c ^dn:)" -eq 0 ]; then

    CHECKED_CALL \

    ldapadd -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \

    -H "ldap://localhost:${LDAP_PORT}/" \

    -f "${COMPONENT_ROOT}/ldif/olcOverlay=ppolicy.ldif"

fi

The 17 additional info error is strange, as google search says that it appears only if you're using 2.4.2 .ldif files against 2.4.3 openldap, but there is no other openldap pre-installed on your LD servers, is there?

Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image testuser · Aug 09, 2017 at 12:35 PM 0
Link

no , there no pre-installed ldap , more over I tried uninstalling and reinstalling as well. No luck

avatar image testuser · Aug 09, 2017 at 12:51 PM 0
Link

I have made the changes and run the set up again .Kindly find the details .

Changes made :

Error Log :

setup-filechanges-debug.txt

setup-file.png (12.2 kB)
setup-filechanges-debug.txt (2.5 kB)
avatar image
0

Answer by Christin Brown · Aug 09, 2017 at 12:18 PM

Is your config file correct ? I see this error when it's trying to read your config. Could not parse LDAP URI(s)=ldap://:/ (5)

Stopping openldap
Comment
Add comment Show 2 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image testuser · Aug 09, 2017 at 12:34 PM 0
Link

I had rechecked the configuration file , have attcahed it for a fresh look

avatar image testuser · Aug 09, 2017 at 12:36 PM 0
Link

config-file.txt

config-file.txt (2.8 kB)
avatar image
0

Answer by Christin Brown · Aug 09, 2017 at 01:53 PM

Ok that message states there are bits left over from previous install attempt.

Maybe you should tear everything down on that node, and start over?

yum remove apigee*
yum remove baas* 
rm -rf /opt/apigee/data/*
rm -rf /tmp/bootstrap.sh
yum clean all
yum remove apigee-repo

And then ... download bootstrap.sh again.

 curl -s https://<user>:<pass>@software.apigee.com/bootstrap.sh -o /tmp/bootstrap.sh
..and then follow along with the install instructions from the top.
Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image testuser · Aug 09, 2017 at 02:23 PM 0
Link

Thanks Christin , still getting same error. Even i tried on different node as well but got same error

avatar image
0

Answer by Russell Blewitt · Aug 21, 2017 at 02:33 PM

Hi,

The key message is this:

additional info: User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined

It appears that with the latest RH/Centos distributions (7.3) the default OpenLDAP installed is 2.4.43 or 2.4.44. That causes an issue with 4.17.xx OPDK.

Our engineering team is working on a fix for this. Please note the fix may not be back-ported to 4.17.01

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Michael McLean · Oct 02, 2017 at 09:29 AM

Has this been fixed in the latest 17.09?

Comment
Add comment Show 1 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Christin Brown ♦ · Oct 13, 2017 at 12:34 PM 1
Link

@Michael McLean yes

avatar image
0

Answer by Jason Mann · Oct 09, 2017 at 10:17 AM

Hi @Russell Blewitt, I'm keen to know too, has the issue with the Apigee LDAP install not working with openldap 2.4.44+ been resolved? We deployed Apigee 4.17.05 with openldap / openldap-server / openldap-client RPM locked to 2.4.40 to get around this issue, but this is just a bodge to get us able to do the install. It breaks a security policy for us in terms of keeping our services up to date and current. I'm going to do an Apigee 4.17.09 install this week and it would be good to know if the issue is fixed in this release or not beforehand.

Thanks.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Madharjan · Nov 16, 2017 at 10:15 AM

Below is the steps to downgrade openldap version to v2.4.40 and also prevent future upgrades by yum updates

yum remove openldap-servers-2.4.44
yum remove openldap-clients-2.4.44

// yum won't work after below 
rpm -e --nodeps openldap-2.4.44
// fix yum
wget ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7.1/x86_64/updates/security/openldap-2.4.40-8.el7.x86_64.rpm
rpm -ivh openldap-2.4.40-8.el7.x86_64.rpm

yum downgrade openldap-2.4.40
yum install openldap-2.4.40
yum install openldap-servers-2.4.40
yum install openldap-clients-2.4.40
yum install apigee-openldap-2.4-0.0.921.noarch

// lock version so no future upgrades on yum update
yum -y install yum-versionlock
yum versionlock openldap
yum versionlock openldap-servers
yum versionlock openldap-clients
```
Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Follow this Question

Answers Answers and Comments

46 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Apigee Private Cloud Blue & Green Deployment 0 Answers

Postgres data copy issue 0 Answers

apigeetool with Private Cloud 2 Answers

Apigee 9 node in Azure- Private cloud to send analytics to Apigee managed Cloud? 1 Answer

Apigee Install Validation Test fails 2 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2021 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Adapter for Envoy
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • 日本語コミュニティ
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Badges