User creation issue

API-Evangelist · 10-03-2017 08:57 PM

Created a user and assigned role to the user but when we login it throws below erro..

Again I am not new to apigee but this is frustrating me(tested in qa & uat) 😞 This is in on-prem 14.6.09.

After upgrade this is the first user we have created..Still checking ...

http://docs.apigee.com/management/apis/post/users

&

http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/userroles/%7Brole_name%7D/u...

2017-10-03 22:11:55,479 qtp788905599-43 ERROR REST - CustomJAXRSInvoker.performInvocation() : CustomJAXRSInvoker.performInvocation : Method com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry threw an exception.
2017-10-03 22:11:55,480 qtp788905599-43 ERROR REST - ExceptionMapper.toResponse() : Error occurred : Invalid EmailId Password for authentication

com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry(SecurityServiceImpl.java:216)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

API-Evangelist

Was able to resolve but not impressed/frustrated with the change of steps in each release..

1)created user using below

apigee-service apigee-provision create-user -f createuser

(createuser has the details

APIGEE_ADMINPW=
USER_NAME=
FIRST_NAME=
LAST_NAME=
USER_PWD=
ORG_NAME=

)

2)Added user to orgadmin

curl -v http://localhost:8080/v1/o/<<org>>/userroles/orgadmin/users/<<newuser>>;

With above steps it didn't work.

What worked ->

After step 1 need to recycle the services and assign the user to orgadmin.

Not sure what's going on? Why restart is required?

-Vinay

cmbrown

@vinay

you should not have to restart anything...replication can take a few seconds, you should run this command once you get a return from the provision user operation : curl -u <sysAdminEmail>:<passwd> http://<ms_IP>:8080/v1/users/foo@bar.com

once it return the user info then you add the role to the user. Let me know if you run into an issue doing this.

mrios

We have a similar issue in 17.05 OPDK. We're using LDAP to authenticated users and some users work just fine but others run in the same type of issues that Vinay described it.

The logs show these

==> /opt/apigee/var/log/edge-management-server/logs/system.log <==
2017-10-25 16:48:22,595  pool-3-thread-446 ERROR REST - CustomJAXRSInvoker.performInvocation() : CustomJAXRSInvoker.performInvocation : Method com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry threw an exception. 
2017-10-25 16:48:22,595  pool-3-thread-446 ERROR REST - ExceptionMapper.toResponse() : Error occurred : Invalid EmailId Password for authentication


	com.apigee.security.SecurityServiceImpl.authenticateAndGetExpiry(SecurityServiceImpl.java:216)
	sun.reflect.GeneratedMethodAccessor702.invoke(Unknown Source)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:497)
	


==> /opt/apigee/var/log/edge-management-server/events/events/events <==
Event{Id,d83361ab-ad0a-4a32-8968-4e1c24014457,Severity,null,Type,Audit,Category,Unknown,SubCategory,Unknown,Timestamp,1508975302595,Source,System,User,null,Host,null,Duration,null,Request,''someone@mail.com'',X-Forwarded-For,,UserAgent,AHC/1.0,ServerIP,11.11.11.11,ServerHostName,xapiadmin.test.shutterfly.com,RequestURIQP,/v1/users/someone@mail.com/authenticateAndGetExpiry,ResponseCode,401,Operation,POST,ClientIP,11.11.11.11,authenticationType,basic,RequestURI,/v1/users/someone@mail.com/authenticateAndGetExpiry,DESCRIPTION,null};


==> /opt/apigee/var/log/edge-management-server/logs/audit.log <==
2017-10-25 16:48:22,597 org:shutterfly  pool-1-thread-57 INFO  AUDITLOG - AuditLog.logAudit() : {responsecode=401, request=''someone@mail.com'', useragent=AHC/1.0, x-forwarded-for=, requesturi=/v1/users/someone@mail.com/authenticateAndGetExpiry/, clientip=11.11.11.11, serverip=11.11.11.11, serverhostname=xapiadmin.test.shutterfly.com, id=d83361ab-ad0a-4a32-8968-4e1c24014457, operation=CREATE, requesturiqp=/v1/users/someone@mail.com/authenticateAndGetExpiry, timestamp=25/10/2017 16:48:22}


==> /opt/apigee/var/log/edge-management-server/logs/access.log <==
2017-10-25 16:48:22,600  pool-1-thread-57 INFO  ACCESSLOG - AccessInfo.logAuditInfo() : {RequestURIQP=/v1/users/someone@mail.com/authenticateAndGetExpiry, ResponseCode=401, ServerHostName=xapiadmin.test.shutterfly.com, ServerIP=11.11.11.11, Request=''someone@mail.com'', UserAgent=AHC/1.0, X-Forwarded-For=, RequestURI=/v1/users/someone@mail.com/authenticateAndGetExpiry, Operation=POST, authenticationType=basic, Timestamp=1508975302595, ClientIP=11.11.11.11
}

The fact that some users can login using their LDAP credentials make us think that is not AD or LDAP configuration related.

I tried to create the user again from scratch from the API and assign the role but didn't work. Same with the UI.

Which APIs execute the create-user that would make it work?

Some help would be appreciated.

cmbrown

@Matias when you say you are using LDAP do you meant Edge OpenLdap or AD ? From the logs it looks like AD. Can you tell me are you using indirect or direct binding ?

mrios

@Christin Brown

Sorry for the late response.

We are using direct binding with our AD.