@Dino-at-Google Wouldnt the sys admin password be stored in OpenLDAP?

Let me give some background of the issue. We recently installed 4.19.01 OPDK. The org admin passwords expired after 30 days and the email notifications were not sent out due to an SMTP connectivity issue. I tried changing the passwords using the sys admin user name and password. Unfortunately, the sysadmin is the orgadmin as well and the passwords got messed up somewhere and i was unable to recover the sys admin password. I followed the links provided in https://docs.apigee.com/private-cloud/v4.19.01/resetting-passwords#resetsystemadminpassword and https://docs.apigee.com/private-cloud/v4.19.01/openldap-maintenance-tasks#manuallysetedgeadminpasswo..., but it dint help much.

I have raised a Support Ticket and awaiting the response. If things dont work out, is it possible to that we reinstall OpenLDAP only and create the users again?

Hmmm!

The orgadmin is usually different than sysadmin!

Think of sysadmin as "apigee root", while every other account, including an account with orgadmin role, has limited powers.

I am familiar with the 30 day expiry and the lockout problems that can occur if you lack SMTP connectivity. I wrote an article describing how to eliminate or raise the max password age, and also how to reset any user's password in LDAP.

Find it here.

While it was written some time ago, I believe it may still help you in your case. It basically mirrors the information available in the "manually set edge admin password" link you provided, but it has more detail.

See if that helps you.

What I suggest is:

• change sysadmin to be a unique account
• set the orgadmin password in LDAP according to the "manually reset" approach (you can read the doc page as well as my community article, and you will be able to find other helpful community articles too, if you search for them.)
• make sure you restart the UI after updating the config file, so that the UI is using the new admin password.

I did an ldapsearch and found that there is no user with uid=admin. I manually added the user using an ldapadd. However, this user doesnt seem to be the sysadmin as yet. How do I make the user a sysadmin?

I get 403 Forbidden when I tried the following API : http://MS-IP:8080/v1/servers/self

Any help will be appreciated! @paulmibus

I recommend opening a ticket with support at https://apigee.com/about/support/portal/ for this one. If the admin DN is missing then you may have more extensive database corruption that requires some dedicated troubleshooting.

Did you recently restore from a backup, upgrade the system, or reconfigure the cluster in some way?

@paulmibus We have opened a Support ticket. In the meanwhile, I could resolve by adding a uid="admin" and assigning the admin user to the sysadmin group.

1) Add admin to Openldap by using following command :

ldapadd -w ldappassword -D "cn=manager,dc=apigee,dc=com" -h localhost -p 10389 -f /tmp/admin.ldif

2) Add the admin user as a roleOccupant in sysadmin:

ldapmodify -H ldap://localhost:10389 -W -x -D "cn=manager,dc=apigee,dc=com" -f ./addsysadmin.ldif

Sample "admin.ldif":

dn: uid=admin,ou=users,ou=global,dc=apigee,dc=com

objectClass: inetOrgPerson

uid: admin

cn: admin sn:

admin mail: abc@example.com

userPassword:: encryptedPwd

Sample "addsysadmin.ldif":

dn: cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com

changetype: modify

add: roleOccupant

roleOccupant: uid=admin,ou=users,ou=global,dc=apigee,dc=com

Once the admin user got added, I could run the following Management API :

curl -u abc@example.com -X GET http://MS-IP:8080/v1/users/abc@example.com/userroles

Response :

{ "role": [ { "name": "sysadmin" } ] }

Once the sysadmin got recovered, I could reset the passwords for the orgadmin users.