We are doing a 9 node Active - Active Cluster set up using two DC's (Each DC has 9 nodes).
1: I was able to install Casandra and Zookeeper on 3 node nodes of each Dc.Using following utility.
2: When We tried to install the Management Sever , Edge Ui And openldap. Using following utility we are getting below error and its terminating .
3: OpenLdap seems to get installed when we run the status command, but other components don't as the utility is terminating
4: I tried installing using services but faced similar issue.More over management server wont come up.
Log after running the utility :
Configuration file For DC1 :
We never faced any issue with 1 Dc installation. Any insight will be highly appreciated..
Answer by ylesyuk · Aug 09, 2017 at 11:34 AM
The problem seems to be with the ldapadd command of the Importing ppolicy step.
Can, please, add
set -x
statement after the echo "Importing ppolicy olcOverlay" line in the /opt/apigee/apigee-openldap/lib/actions/setup shell script and re-run the setup?
This will print exact command that causes an 80 error. And we can then investigate it in isolation.
/opt/apigee/apigee-openldap/lib/actions/setup 4591/6510 70% echo echo "Set LDAP ROOTDN password" echo # Ignore Invalid credentials (49) error for idempotency, used only to change initial password CHECKED_LDAP_CALL 49 \ "$APIGEE_SERVICE" apigee-openldap \ change-ldap-password -o secret -n "$APIGEE_LDAPPW" 2>/dev/null echo "Importing ppolicy olcOverlay" if [ "$(ldapsearch -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \ -H "ldap://localhost:${LDAP_PORT}/" \ -b "olcDatabase={2}bdb,cn=config" \ '(olcOverlay=ppolicy)' dn | grep -c ^dn:)" -eq 0 ]; then CHECKED_CALL \ ldapadd -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \ -H "ldap://localhost:${LDAP_PORT}/" \ -f "${COMPONENT_ROOT}/ldif/olcOverlay=ppolicy.ldif" fi
The 17 additional info error is strange, as google search says that it appears only if you're using 2.4.2 .ldif files against 2.4.3 openldap, but there is no other openldap pre-installed on your LD servers, is there?
no , there no pre-installed ldap , more over I tried uninstalling and reinstalling as well. No luck
I have made the changes and run the set up again .Kindly find the details .
Changes made :
Error Log :
Answer by Christin Brown · Aug 09, 2017 at 12:18 PM
Is your config file correct ? I see this error when it's trying to read your config. Could not parse LDAP URI(s)=ldap://:/ (5)
Stopping openldap
I had rechecked the configuration file , have attcahed it for a fresh look
Answer by Christin Brown · Aug 09, 2017 at 01:53 PM
Ok that message states there are bits left over from previous install attempt.
Maybe you should tear everything down on that node, and start over?
yum remove apigee* yum remove baas* rm -rf /opt/apigee/data/* rm -rf /tmp/bootstrap.sh yum clean all yum remove apigee-repo
And then ... download bootstrap.sh again.
curl -s https://<user>:<pass>@software.apigee.com/bootstrap.sh -o /tmp/bootstrap.sh ..and then follow along with the install instructions from the top.
Thanks Christin , still getting same error. Even i tried on different node as well but got same error
Answer by Russell Blewitt · Aug 21, 2017 at 02:33 PM
Hi,
The key message is this:
additional info: User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
It appears that with the latest RH/Centos distributions (7.3) the default OpenLDAP installed is 2.4.43 or 2.4.44. That causes an issue with 4.17.xx OPDK.
Our engineering team is working on a fix for this. Please note the fix may not be back-ported to 4.17.01
Answer by RajeshMishra@Google · Aug 23, 2017 at 06:35 AM
/opt/apigee/apigee-service/bin/apigee-service apigee-openldap uninstall #Get the openldap versions rpm -qa | grep openldap #Remove the openldap version 2.4.44 yum remove openldap-servers-2.4.44-5.el7.x86_64 yum remove openldap-clients-2.4.44-5.el7.x86_64 yum remove openldap-2.4.44-5.el7.x86_64 (This may fail) #Install the openldap 2.4.40 versions yum downgrade openldap-2.4.40 yum install openldap-2.4.40 yum install openldap-servers-2.4.40 yum install openldap-clients-2.4.40 Run the setup again.
Be aware that upgrading the RPMs later can cause issues. So lock the OpenLDAP RPMs so they are not going to be upgraded later.
Answer by Mauro Gonzalez · Sep 25, 2017 at 05:41 PM
Hi there @testuser and @Russell Blewitt,
I solved that issue during 4.17.05 installation running in Centos 7.3 downgrading the openldap version:
yes we have seen this work but other clients can not downgrade due security vulnerabilities in Openldap hence need for the newer version
Answer by Jason Mann · Oct 09, 2017 at 10:17 AM
Hi @Russell Blewitt, I'm keen to know too, has the issue with the Apigee LDAP install not working with openldap 2.4.44+ been resolved? We deployed Apigee 4.17.05 with openldap / openldap-server / openldap-client RPM locked to 2.4.40 to get around this issue, but this is just a bodge to get us able to do the install. It breaks a security policy for us in terms of keeping our services up to date and current. I'm going to do an Apigee 4.17.09 install this week and it would be good to know if the issue is fixed in this release or not beforehand.
Thanks.
Answer by Jason Mann · Oct 13, 2017 at 12:12 PM
Just in case it's useful to know - I did a deploy of 4.17.09 on RHEL 7.4 which includes opendlap 2.4.44 and the installation worked with no openldap errors. No downgrade was necessary and the schema validation issue did not arise - so it would appear to have been fixed (I would have expected to see this bug as a 'FIXED' in the release notes!)
@Jason Mann you are correct and thanks for pointing out that you didn't see in the release notes
Answer by Madharjan · Nov 16, 2017 at 10:15 AM
Below is the steps to downgrade openldap version to v2.4.40 and also prevent future upgrades by yum updates
yum remove openldap-servers-2.4.44 yum remove openldap-clients-2.4.44 // yum won't work after below rpm -e --nodeps openldap-2.4.44 // fix yum wget ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7.1/x86_64/updates/security/openldap-2.4.40-8.el7.x86_64.rpm rpm -ivh openldap-2.4.40-8.el7.x86_64.rpm yum downgrade openldap-2.4.40 yum install openldap-2.4.40 yum install openldap-servers-2.4.40 yum install openldap-clients-2.4.40 yum install apigee-openldap-2.4-0.0.921.noarch // lock version so no future upgrades on yum update yum -y install yum-versionlock yum versionlock openldap yum versionlock openldap-servers yum versionlock openldap-clients ```