Upgrade of OpenLDAP from 4.16.x to 4.17.01 can fail when external authentication is used.

Google Cloud Apigee Knowledge Hub
1

If you are currently using external authentication a situation can occurs where you might

run into an error during the upgrade of the OpenLDAP component.

apigee-configutil: apigee-openldap: # OK updated property lib_settings_ldap_port in file /opt/apigee/token/application/openldap.properties 
updated property RUN_USER in file /opt/apigee/etc/apigee-openldap.d/apigee-openldap.sh 
updated property lib_settings_apigee_bind_dn in file /opt/apigee/token/application/openldap.properties apigee-configutil: apigee-openldap: # OK 
apigee-configutil: apigee-openldap: # OK 
apigee-service: apigee-openldap: Not running (NO_LOCKFILE) apigee-service: apigee-openldap: status=2, continuing apigee-service: apigee-openldap: OK

 apigee-service: apigee-openldap: apigee-openldap is running Set LDAP ROOTDN password Error: OpenLDAP password could not be changed Importing ppolicy olcOverlay Configure Apigee DIT 
ldap_add: Already exists (68) adding new entry "dc=apigee,dc=com" ldap_add: Already exists (68) adding new entry "ou=global,dc=apigee,dc=com" 
ldap_add: Already exists (68) adding new entry "ou=organizations,dc=apigee,dc=com" 
ldap_add: Already exists (68) adding new entry "ou=permissions,dc=apigee,dc=com" adding new entry "ou=pwpolicies,dc=apigee,dc=com" adding new entry "cn=default,ou=pwpolicies,dc=apigee,dc=com" 

adding new entry "cn=sysadmin,ou=pwpolicies,dc=apigee,dc=com" 
ldap_modify: No such object (32) matched DN: ou=users,ou=global,dc=apigee,dc=com 
modifying entry "uid=admin,ou=users,ou=global,dc=apigee,dc=com"

The problem here is the that upgrade process assumes you have a “admin” user with a sys-admin role. For external authentication this may not have been setup (or removed).

To fix this we simply need to add the admin user to the Apigee-openLDAP server. Create a text file with the following contents called admin.ldif (The exact name does not matter).

Create a file with the following contents: 
dn: uid=admin,ou=users,ou=global,dc=apigee,dc=com
objectClass: organizationalPerson 
objectClass: person objectClass: inetOrgPerson 
objectClass: top 
uid: admin 
cn: admin 
sn: admin

We then need to add this entry into the Apigee OpenLDAP server. Run the following on the server that apigee-openldap is running on

ldapadd -h localhost -p 10389 -x -W -D "cn=manager,dc=apigee,dc=com" -f admin.ldif

The port given here is the default one Apigee Edge uses. It maybe different. The user is never used so can be left in place.

Rerun the upgrade.