Edge private cloud 4.17.01 installation issue- Openldap issue
We are doing a 9 node Active - Active Cluster set up using two DC's (Each DC has 9 nodes).
1: I was able to install Casandra and Zookeeper on 3 node nodes of each Dc.Using following utility.
- /opt/apigee/apigee-setup/bin/setup.sh -p ds -f /tmp/MyConf.
2: When We tried to install the Management Sever , Edge Ui And openldap. Using following utility we are getting below error and its terminating .
- /opt/apigee/apigee-setup/bin/setup.sh -p ms -f /tmp/MyConf
3: OpenLdap seems to get installed when we run the status command, but other components don't as the utility is terminating
4: I tried installing using services but faced similar issue.More over management server wont come up.
Log after running the utility :
Configuration file For DC1 :
We never faced any issue with 1 Dc installation. Any insight will be highly appreciated..
The problem seems to be with the ldapadd command of the Importing ppolicy step.
Can, please, add
set -x
statement after the echo "Importing ppolicy olcOverlay" line in the /opt/apigee/apigee-openldap/lib/actions/setup shell script and re-run the setup?
This will print exact command that causes an 80 error. And we can then investigate it in isolation.
/opt/apigee/apigee-openldap/lib/actions/setup 4591/6510 70%
echo
echo "Set LDAP ROOTDN password"
echo
# Ignore Invalid credentials (49) error for idempotency, used only to change initial password
CHECKED_LDAP_CALL 49 \
"$APIGEE_SERVICE" apigee-openldap \
change-ldap-password -o secret -n "$APIGEE_LDAPPW" 2>/dev/null
echo "Importing ppolicy olcOverlay"
if [ "$(ldapsearch -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \
-H "ldap://localhost:${LDAP_PORT}/" \
-b "olcDatabase={2}bdb,cn=config" \
'(olcOverlay=ppolicy)' dn | grep -c ^dn:)" -eq 0 ]; then
CHECKED_CALL \
ldapadd -x -w "$APIGEE_LDAPPW" -D "$CONFIG_BIND_DN" \
-H "ldap://localhost:${LDAP_PORT}/" \
-f "${COMPONENT_ROOT}/ldif/olcOverlay=ppolicy.ldif"
fi
The 17 additional info error is strange, as google search says that it appears only if you're using 2.4.2 .ldif files against 2.4.3 openldap, but there is no other openldap pre-installed on your LD servers, is there?
no , there no pre-installed ldap , more over I tried uninstalling and reinstalling as well. No luck
I have made the changes and run the set up again .Kindly find the details .
Changes made :
Error Log :
Is your config file correct ? I see this error when it's trying to read your config. Could not parse LDAP URI(s)=ldap://:/ (5)
Stopping openldap
I had rechecked the configuration file , have attcahed it for a fresh look
Ok that message states there are bits left over from previous install attempt.
Maybe you should tear everything down on that node, and start over?
yum remove apigee* yum remove baas* rm -rf /opt/apigee/data/* rm -rf /tmp/bootstrap.sh yum clean all yum remove apigee-repo
And then ... download bootstrap.sh again.
curl -s https://<user>:<pass>@software.apigee.com/bootstrap.sh -o /tmp/bootstrap.sh ..and then follow along with the install instructions from the top.
Thanks Christin , still getting same error. Even i tried on different node as well but got same error
Hi,
The key message is this:
additional info: User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
It appears that with the latest RH/Centos distributions (7.3) the default OpenLDAP installed is 2.4.43 or 2.4.44. That causes an issue with 4.17.xx OPDK.
Our engineering team is working on a fix for this. Please note the fix may not be back-ported to 4.17.01
/opt/apigee/apigee-service/bin/apigee-service apigee-openldap uninstall #Get the openldap versions rpm -qa | grep openldap #Remove the openldap version 2.4.44 yum remove openldap-servers-2.4.44-5.el7.x86_64 yum remove openldap-clients-2.4.44-5.el7.x86_64 yum remove openldap-2.4.44-5.el7.x86_64 (This may fail) #Install the openldap 2.4.40 versions yum downgrade openldap-2.4.40 yum install openldap-2.4.40 yum install openldap-servers-2.4.40 yum install openldap-clients-2.4.40 Run the setup again.
Be aware that upgrading the RPMs later can cause issues. So lock the OpenLDAP RPMs so they are not going to be upgraded later.
Hi there @testuser and @Russell Blewitt,
I solved that issue during 4.17.05 installation running in Centos 7.3 downgrading the openldap version:
yes we have seen this work but other clients can not downgrade due security vulnerabilities in Openldap hence need for the newer version
Has this been fixed in the latest 17.09?
Hi @Russell Blewitt, I'm keen to know too, has the issue with the Apigee LDAP install not working with openldap 2.4.44+ been resolved? We deployed Apigee 4.17.05 with openldap / openldap-server / openldap-client RPM locked to 2.4.40 to get around this issue, but this is just a bodge to get us able to do the install. It breaks a security policy for us in terms of keeping our services up to date and current. I'm going to do an Apigee 4.17.09 install this week and it would be good to know if the issue is fixed in this release or not beforehand.
Thanks.
Just in case it's useful to know - I did a deploy of 4.17.09 on RHEL 7.4 which includes opendlap 2.4.44 and the installation worked with no openldap errors. No downgrade was necessary and the schema validation issue did not arise - so it would appear to have been fixed (I would have expected to see this bug as a 'FIXED' in the release notes!)
@Jason Mann you are correct and thanks for pointing out that you didn't see in the release notes
Below is the steps to downgrade openldap version to v2.4.40 and also prevent future upgrades by yum updates
yum remove openldap-servers-2.4.44 yum remove openldap-clients-2.4.44 // yum won't work after below rpm -e --nodeps openldap-2.4.44 // fix yum wget ftp://ftp.pbone.net/mirror/ftp.scientificlinux.org/linux/scientific/7.1/x86_64/updates/security/openldap-2.4.40-8.el7.x86_64.rpm rpm -ivh openldap-2.4.40-8.el7.x86_64.rpm yum downgrade openldap-2.4.40 yum install openldap-2.4.40 yum install openldap-servers-2.4.40 yum install openldap-clients-2.4.40 yum install apigee-openldap-2.4-0.0.921.noarch // lock version so no future upgrades on yum update yum -y install yum-versionlock yum versionlock openldap yum versionlock openldap-servers yum versionlock openldap-clients ```
