From 14.07 onwards we have included pwpolicy for openldap in our OPDK.
There is a possibility that the users (sysadmin and default users ) might get expired as we dont have a mechanism to alert regarding the password expiry. If the sysadmin gets locked out there is no easy way to recover from it.
The default timeout is set to pwdMaxAge 2592000. This is equivalent to 30 days. ( convert from secs to days)
In order to avoid this we can disable just the lockout for sysadmin and default users by using the below script.
echo "Please enter your LDAP password"
#read -s PASSWORD
while IFS= read -r -s -n1 ldappw; do
if [[ -z $ldappw ]]; then
echo
break
else
echo -n '*'
password+=$ldappw
fi
done
echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_default_MaxAge.ldif
ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_MaxAge.ldif
echo -e "dn: cn=default,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_default_Lockout.ldif
ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_default_Lockout.ldif
echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 0" | tee ./cn_sysadmin_MaxAge.ldif
ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_MaxAge.ldif
echo -e "dn: cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com\nchangetype: modify\nreplace: pwdLockout\npwdLockout: FALSE" | tee ./cn_sysadmin_Lockout.ldif
ldapmodify -x -w "$password" -D "cn=manager,dc=apigee,dc=com" -H ldap://localhost:10389 -f ./cn_sysadmin_Lockout.ldif
#sleep 10
rm -rf ./cn_*.ldif
The above script will prevent lockout of sysadmin and default users.
This script has to be run on ldap server box on OPDK.