Have you installed OPDK, versions 15.0x, 16.01, 16.05, 16.09 ? Important information about your password policy.

Google Cloud Apigee Knowledge Hub
1

First: the following information affects you only if you are managing your own Edge cluster, on your own Linux VMs, and you are using a fresh installation of v4.15.0x, v4.16.01, v4.16.05, or v4.16.09. If you are using the Apigee-managed Edge cloud service, this information does not affect you. If you are using an older version of Edge Private Cloud, this does not affect you.

The openldap installation in Apigee Edge Private Cloud (aka “OPDK”) for those versions enforces a maximum password age of 30 days. In some versions of the documentation for Edge Private Cloud, there is a statement that Edge does not enforce any password age limit. For example, see p. 38 of the Operations Guide for v16.01. But that statement is incorrect. The LDAP Server in Edge does enforce a password age.

In the actual configuration of openldap, the passwords for the users you use to login to Apigee Edge … will expire, exactly 30 days after the user has been created, or 30 days after the user has reset his or her password. An expired password means the user will not be able to login to the Apigee Administrative portal.

To see if this problem affects you, or just to examine the password age policy for fun, login to the machine that runs the openldap server in your Edge OPDK installation. Then run this command:

ldapsearch -H ldap://localhost:10389 -x -D "cn=manager,dc=apigee,dc=com" -W -b "cn=default,ou=pwpolicies,dc=apigee,dc=com"

You will be prompted for the LDAP admin password. You should know this; supply it. The output of that command will look something like this:

# extended LDIF
#
# LDAPv3
# base <cn=default,ou=pwpolicies,dc=apigee,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# default, pwpolicies, apigee.com
dn: cn=default,ou=pwpolicies,dc=apigee,dc=com
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: userPassword
sn: dummy value
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdFailureCountInterval: 300
pwdMaxAge: 2592000
pwdMaxFailure: 3
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1

Notice the line that shows pwdMaxAge: 2592000 in the above. I’m not a math genius, but I think that 2592000 / 86400 (which is the number of seconds in a day) = 30. That means passwords expire after 30 days.

You may wish to lift the password age restriction. (Recent research supports the idea that password expiration policies don’t raise security, and may lead to weaker passwords.)

To eliminate the max password age, in other words to set the LDAP server so that passwords don’t expire, you can run the following two commands:

echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0\n" > /tmp/max-age-reset.ldif
ldapmodify  -H ldap://localhost:10389 -W -x -D "cn=manager,dc=apigee,dc=com" -f /tmp/max-age-reset.ldif

If you want to just RAISE the password age, substitute your value in seconds for the value of 0 in the above example.

In either case, once again, you will be asked to supply your LDAP admin password.

OK, that will change the password policy, BUT, this policy will govern all user accounts that get created, or all accounts for which passwords are set or reset, from that point onward.

Any user accounts that were created between the time you installed OPDK 16.01 and the time you modified the pwdMaxAge policy, will be governed by the policy that was in place at the time the user’s password was set. Which means, those users will see their passwords expire after 30 days.

To fix THAT problem you may wish to use this command to forcibly reset a user’s password.

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=users,ou=global,dc=apigee,dc=com"

You must replace the string LDAP_UUID_OF_ACCOUNT with the actual uid for the user in question. What is that uid? you are surely wondering. Well I don’t know. But you can find out, by first running the ldapsearch command shown here:

 ldapsearch -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -b "ou=users,ou=global,dc=apigee,dc=com"

This will show you the accounts in your openldap server, and all of their uids. You may set passwords for all of them using repeated invocations of the ldappasswd command shown above.

Finally, I believe that if you have an SMTP server set up properly, then Apigee Edge will send out an email notifying people that their passwords will soon expire, along with a link they can click to reset the password on their own. This also works. The steps I described above are useful if you don’t have the SMTP set up, or … if you’d like to avoid the problem completely.

4 Likes
2

@archendra @bwarren @jhunt@apigee.com @Maruti Chand @sgilson

making sure you are aware.

3

Great write up, thanks!

A good reason to integrate with an existing external LDAP.

4

Thank you for the heads-up, @Dino!

I believe this issue may have occurred earlier in the release history.

I ran into 30 day default on a new OPDK 4.15.07.01 cluster. (Opened a support case, everyone shook heads and moved on.)

Thank you for the check/fix alternative! Mine was a bit more…hands-on. :wink:

2 Likes
5

This also happened in 15.01 or 15.03 (i forget which one)

6

Anyway @dino Thanks for this post. I want to encourage you guys to maybe tag - 16.01 install issues in a way that I can collect them for my own profit later this month…

2 Likes
7

Great suggestion @Benjamin Goldman! Let’s start using versions as tags.

1 Like
8

:thumbsup:

9

we have two sets of tags:

4.16.01

and

16.01

and for some reason i cant add tags anymore.

10

@Dino - Just one correction under “to fix that problem”, the directory path is missing the ou=users part.

Above:

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=global,dc=apigee,dc=com"

Shoud be:

ldappasswd -H ldap://localhost:10389 -x  -D "cn=manager,dc=apigee,dc=com"  -W -S "uid=LDAP_UUID_OF_ACCOUNT,ou=users,ou=global,dc=apigee,dc=com"
1 Like
11

Thanks David, I will fix that right now!

12

Currently Edge does not send an email to those users about to expire. See jira PRC-970.

13

@Dino quick note:

if you are a 15.x customer on prem, and have already resolved this in your install, and upgrade, it appears as if the fix makes it through an upgrade.

note: this does not necessarily mean you are safe upgrading! It just means i was - because I had resolved this earlier.

14

@Dino can you change the subject of this article to reflect the other private cloud versions as well that are affected. These are 15.X.

15

@Dino - I found this problem with 16.05 also. Perhaps you’d want to update the title/question. Also if it might good if you have a screenshot to show the login error when the password has exceeded max age. Some may not know to relate the two issues.

16

done. Thanks Divya.

17

Title updated, thanks Nandan. I do not have a screenshot at the moment, but if you have one, send it along and I will include it.

18

@Dino Does it work for the systems which have been upgraded right from v4.14.x to v4.15.x?

Thank you in advance.

19

Any user accounts created between the time you installed OPDK 16.01 and the time you modified the pwdMaxAge policy, will be governed by the policy in place at the time the user’s password was set. Which means, those users will see their passwords expire after 30 days.

At least since 17.09, this is not correct. Updating the password policy will immediately expire/unexpire user credentials

20

Great, thanks for sharing.