Edge private cloud 4.17.01 installation issue- Openldap issue

Not applicable

We are doing a 9 node Active - Active Cluster set up using two DC's (Each DC has 9 nodes).

1: I was able to install Casandra and Zookeeper on 3 node nodes of each Dc.Using following utility.

  • /opt/apigee/apigee-setup/bin/setup.sh -p ds -f /tmp/MyConf.

2: When We tried to install the Management Sever , Edge Ui And openldap. Using following utility we are getting below error and its terminating .

  • /opt/apigee/apigee-setup/bin/setup.sh -p ms -f /tmp/MyConf

3: OpenLdap seems to get installed when we run the status command, but other components don't as the utility is terminating

4: I tried installing using services but faced similar issue.More over management server wont come up.

Log after running the utility :

error-log.txt

Configuration file For DC1 :

config-file.txt

We never faced any issue with 1 Dc installation. Any insight will be highly appreciated..

0 23 5,239
23 REPLIES 23

ylesyuk
Participant V

The problem seems to be with the ldapadd command of the Importing ppolicy step.

Can, please, add

set -x

statement after the echo "Importing ppolicy olcOverlay" line in the /opt/apigee/apigee-openldap/lib/actions/setup shell script and re-run the setup?

This will print exact command that causes an 80 error. And we can then investigate it in isolation.


/opt/apigee/apigee-openldap/lib/actions/setup                                                                         4591/6510               70%

echo

echo "Set LDAP ROOTDN password"

echo




# Ignore Invalid credentials (49) error for idempotency, used only to change initial password

CHECKED_LDAP_CALL 49 \

"$APIGEE_SERVICE" apigee-openldap \

change-ldap-password -o secret -n "$APIGEE_LDAPPW" 2>/dev/null




echo "Importing ppolicy olcOverlay"

if [ "$(ldapsearch -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \

    -H "ldap://localhost:${LDAP_PORT}/" \

    -b "olcDatabase={2}bdb,cn=config"   \

    '(olcOverlay=ppolicy)' dn  | grep -c ^dn:)" -eq 0 ]; then

    CHECKED_CALL \

    ldapadd -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \

    -H "ldap://localhost:${LDAP_PORT}/" \

    -f "${COMPONENT_ROOT}/ldif/olcOverlay=ppolicy.ldif"

fi

The 17 additional info error is strange, as google search says that it appears only if you're using 2.4.2 .ldif files against 2.4.3 openldap, but there is no other openldap pre-installed on your LD servers, is there?

no , there no pre-installed ldap , more over I tried uninstalling and reinstalling as well. No luck

I have made the changes and run the set up again .Kindly find the details .

Changes made :

5446-setup-file.png

Error Log :

setup-filechanges-debug.txt

Is your config file correct ? I see this error when it's trying to read your config. Could not parse LDAP URI(s)=ldap://:/ (5)

Stopping openldap

I had rechecked the configuration file , have attcahed it for a fresh look

Ok that message states there are bits left over from previous install attempt.

Maybe you should tear everything down on that node, and start over?

yum remove apigee*
yum remove baas* 
rm -rf /opt/apigee/data/*
rm -rf /tmp/bootstrap.sh
yum clean all
yum remove apigee-repo

And then ... download bootstrap.sh again.

 curl -s https://<user>:<pass>@software.apigee.com/bootstrap.sh -o /tmp/bootstrap.sh
..and then follow along with the install instructions from the top.

Thanks Christin , still getting same error. Even i tried on different node as well but got same error

Not applicable

Based on the information you shared I don't see a good reason for the failure. I recommend you wrap all values in double "" in the response (config) file.

Example:

IP10="18.2.4.3"
LDAP_TYPE="2"
LDAP_SID="1"
LDAP_PEER="$IP10"
APIGEE_LDAPPW="secret"

Do that for all variables, not just the above.

If the passwords contains special characters in some positions like $ in the middle of the string, or the file was created in Windows and copy to Linux, the interpretation of values could be affected.

If you have the opportunity to start from zero, do a clean up and install again. If not, just fix the response file, stop all processes and execute setup.sh one more time.

Clean up process:

/opt/apigee/apigee-service/bin/apigee-all stop
yum clean all
rpm -e $(rpm -qa | egrep "(apigee-|edge-|baas-)")
rm -rf /opt/apigee

Maudrit Thanks a lot . I tried as suggested by you but still facing the same issue.Not sure whats casuing this.

testuser: even I am facing the issue. Please let me know if you found a solution for this

Not applicable

Hi,

The key message is this:

additional info: User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined

It appears that with the latest RH/Centos distributions (7.3) the default OpenLDAP installed is 2.4.43 or 2.4.44. That causes an issue with 4.17.xx OPDK.

Our engineering team is working on a fix for this. Please note the fix may not be back-ported to 4.17.01

/opt/apigee/apigee-service/bin/apigee-service apigee-openldap uninstall

#Get the openldap versions
rpm -qa | grep openldap
#Remove the openldap version 2.4.44

yum remove openldap-servers-2.4.44-5.el7.x86_64 
yum remove openldap-clients-2.4.44-5.el7.x86_64
yum remove openldap-2.4.44-5.el7.x86_64 (This may fail)


#Install the openldap 2.4.40 versions

yum downgrade openldap-2.4.40 
yum install openldap-2.4.40
yum install openldap-servers-2.4.40
yum install openldap-clients-2.4.40

Run the setup again.

Be aware that upgrading the RPMs later can cause issues. So lock the OpenLDAP RPMs so they are not going to be upgraded later.

Not applicable

Hi there @testuser and @Russell Blewitt,

I solved that issue during 4.17.05 installation running in Centos 7.3 downgrading the openldap version:

same here

yes we have seen this work but other clients can not downgrade due security vulnerabilities in Openldap hence need for the newer version

Has this been fixed in the latest 17.09?

Not applicable

Hi @Russell Blewitt, I'm keen to know too, has the issue with the Apigee LDAP install not working with openldap 2.4.44+ been resolved? We deployed Apigee 4.17.05 with openldap / openldap-server / openldap-client RPM locked to 2.4.40 to get around this issue, but this is just a bodge to get us able to do the install. It breaks a security policy for us in terms of keeping our services up to date and current. I'm going to do an Apigee 4.17.09 install this week and it would be good to know if the issue is fixed in this release or not beforehand.

Thanks.

Not applicable

Just in case it's useful to know - I did a deploy of 4.17.09 on RHEL 7.4 which includes opendlap 2.4.44 and the installation worked with no openldap errors. No downgrade was necessary and the schema validation issue did not arise - so it would appear to have been fixed (I would have expected to see this bug as a 'FIXED' in the release notes!)

@Stephen Gilson see above comment

@Jason Mann you are correct and thanks for pointing out that you didn't see in the release notes

Not applicable

Below is the steps to downgrade openldap version to v2.4.40 and also prevent future upgrades by yum updates

yum remove openldap-servers-2.4.44
yum remove openldap-clients-2.4.44

// yum won't work after below 
rpm -e --nodeps openldap-2.4.44
// fix yum
wget ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7.1/x86_64/updates/security/openldap-2.4.40-8.el7.x86_64.rpm
rpm -ivh openldap-2.4.40-8.el7.x86_64.rpm

yum downgrade openldap-2.4.40
yum install openldap-2.4.40
yum install openldap-servers-2.4.40
yum install openldap-clients-2.4.40
yum install apigee-openldap-2.4-0.0.921.noarch

// lock version so no future upgrades on yum update
yum -y install yum-versionlock
yum versionlock openldap
yum versionlock openldap-servers
yum versionlock openldap-clients
```