OpenLDAP Password change not working

michaelmclean · 08-14-2017 01:30 AM

Hi Guys

So i have a 10 node setup running with two management/openldap nodes

I have followed the instructions here but cannot get this working

So i ran

So on MS Node 1 i did

1.On the Management Server node, run the following command to create the new OpenLDAP password:

/opt/apigee/apigee-service/bin/apigee-service apigee-openldap change-ldap-password -o oldPword -n newPword

2.Run the following command to store the new password for access by the Management Server:

/opt/apigee/apigee-service/bin/apigee-service edge-management-server store_ldap_credentials -p newPword

then did the same process on MS Node2

When this is done and brought back up the replication fails

598ace63 slap_client_connect: URI=ldap://msnode02:10389/ DN="cn=manager,dc=apigee,dc=com" ldap_sasl_bind_s failed (49) 598ace63 do_syncrepl: rid=001 rc 49 retrying

Now i had a look online and error 49 in openldap is invalid credentials but the passwords have changed as i can access the openldap individually using GUI and also LDAPSEARCH

Is there part of the process missing?

michaelmclean

to add to this if i change the password back to the default one replication starts to work again, is there somewhere else the password is stored that the commands are not changing?

cmbrown

@Michael McLean

hmmm...given what you stated this should work, and yes the openldap instance and mgmt server are only places you need to run these for. Have you tried also using this method to change the pw's ?

http://docs.apigee.com/private-cloud/latest/openldap-maintenance-tasks

michaelmclean

Hello 🙂

So I tried that method just now and still the same issue.

There must be something cached as as soon as I do the same process again to change back to the default password the replication starts to work again

It has me stumped

rmishra

@Michael McLean The replication script internally use "ldapmodify". We had a similar issue where our servers were not using the default "ldapmodify" because our linux team had linked the "ldapmodify" command to a centrify based implementation. You might want to check if that is the issue.

pratimasabas

I have the same issue. Also proxies, products, apps are replicating after password change. users and roles are not. Were you able to resolve the issue ?

chadfujishige

I realize this is old, but since I just ran into this, figured I'd post my findings in case someone else has a similar problem.

Check the file:

/opt/apigee/data/apigee-openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif

There are two places where the password needs to change for ldap with replication setups:

olcRootPW: this is an encrypted value that the script has probably changed. you can test by doing an ldapsearch with the new credentials.

olcSyncRepl: this is only when there's replication configured, and usually there's a part of it where credentials are passed. This is the non encrypted password. If this is the old password, this has to be changed to the new one. This affects replication only.

pmallikarjuna

@chad Fujishige, i'm facing exactly same issue in new Data center. All users data is not replicating in new DC. I'm not clear on olcRootPW, can i use ssha password of olcSyncRepl?

Can i copy the password from old DC olcDatabase={2}bdb.ldif file?