I tried resetting the system admin email and password using the instructions provided in https://docs.apigee.com/private-cloud/v4.19.01/resetting-passwords#resetsystemadminpassword. However, It doesnt appear that the password change has taken effect. I am not able to recover the old password as well.
What is the way out? Is it possible to reinstall OpenLDAP and create users all over again? This is for a 5 node Apigee OPDK installation.
@paulmibus any pointers would be appreciated
OpenLDAP is a different issue.
Sysadmin password is independent of OpenLDAP.
I think you need to talk with someone about the problem you’re confronting.
@Carlos Frias maybe you know someone.
@Dino-at-Google Wouldnt the sys admin password be stored in OpenLDAP?
Let me give some background of the issue. We recently installed 4.19.01 OPDK. The org admin passwords expired after 30 days and the email notifications were not sent out due to an SMTP connectivity issue. I tried changing the passwords using the sys admin user name and password. Unfortunately, the sysadmin is the orgadmin as well and the passwords got messed up somewhere and i was unable to recover the sys admin password. I followed the links provided in https://docs.apigee.com/private-cloud/v4.19.01/resetting-passwords#resetsystemadminpassword and https://docs.apigee.com/private-cloud/v4.19.01/openldap-maintenance-tasks#manuallysetedgeadminpassword, but it dint help much.
I have raised a Support Ticket and awaiting the response. If things dont work out, is it possible to that we reinstall OpenLDAP only and create the users again?
Hmmm!
The orgadmin is usually different than sysadmin!
Think of sysadmin as “apigee root”, while every other account, including an account with orgadmin role, has limited powers.
I am familiar with the 30 day expiry and the lockout problems that can occur if you lack SMTP connectivity. I wrote an article describing how to eliminate or raise the max password age, and also how to reset any user’s password in LDAP.
While it was written some time ago, I believe it may still help you in your case. It basically mirrors the information available in the “manually set edge admin password” link you provided, but it has more detail.
See if that helps you.
What I suggest is:
Reinstalling LDAP won’t help since that will just reinstall the binaries without changing the database.
The sysadmin shouldn’t be subject to the 30-day password expiration as it is by default linked to a non-expiring password policy. It’s possible this was changed after the installation was complete.
As a last resort you can simply change the password of the user at the database level. The root DN password isn’t affected by application-level user accounts or password expiration so the password you used at installation time (or the last time you changed the root DN password) should still work for resetting the Apigee sysadmin password.
To see details about the Apigee sysadmin, run this on the management server:
ldapsearch -H ldap://localhost:10389 -D cn=manager,dc=apigee,dc=com -b dc=apigee,dc=com -W -s sub' uid=admin
The “mail” field shows which email ID is currently being used as the sysadmin. To test the password, run this and enter the password you believe to be correct:
ldapsearch -H ldap://localhost:10389 -D uid=admin,ou=users,ou=global,dc=apigee,dc=com -b uid=admin,ou=users,ou=global,dc=apigee,dc=com -W
There are a few ways to reset the password for that account at the database level. Here’s a nice article that covers a few of them depending on whether you know the password or not: https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
I did an ldapsearch and found that there is no user with uid=admin. I manually added the user using an ldapadd. However, this user doesnt seem to be the sysadmin as yet. How do I make the user a sysadmin?
I get 403 Forbidden when I tried the following API : http://MS-IP:8080/v1/servers/self
Any help will be appreciated! @paulmibus
I recommend opening a ticket with support at https://apigee.com/about/support/portal/ for this one. If the admin DN is missing then you may have more extensive database corruption that requires some dedicated troubleshooting.
Did you recently restore from a backup, upgrade the system, or reconfigure the cluster in some way?
@paulmibus We have opened a Support ticket. In the meanwhile, I could resolve by adding a uid=“admin” and assigning the admin user to the sysadmin group.
ldapadd -w ldappassword -D “cn=manager,dc=apigee,dc=com” -h localhost -p 10389 -f /tmp/admin.ldif
ldapmodify -H ldap://localhost:10389 -W -x -D “cn=manager,dc=apigee,dc=com” -f ./addsysadmin.ldif
Sample “admin.ldif”:
dn: uid=admin,ou=users,ou=global,dc=apigee,dc=com
objectClass: inetOrgPerson
uid: admin
cn: admin sn:
admin mail: abc@example.com
userPassword:: encryptedPwd
Sample “addsysadmin.ldif”:
dn: cn=sysadmin,ou=userroles,ou=global,dc=apigee,dc=com
changetype: modify
add: roleOccupant
roleOccupant: uid=admin,ou=users,ou=global,dc=apigee,dc=com
Once the admin user got added, I could run the following Management API :
curl -u abc@example.com -X GET http://MS-IP:8080/v1/users/abc@example.com/userroles
Response :
{ “role”: [ { “name”: “sysadmin” } ] }
Once the sysadmin got recovered, I could reset the passwords for the orgadmin users.