Reset admin password

Hey,

I am trying to reset the admin password

Anyone any tips for me?

(Edit by Aleks, October 2020 to simplify reading since this is apparently the top result in search engine now)

Same here. I tried this tip as well as others found on the forum with no luck.

This situation seems to happen quite often if you look at a search on the forum. The admin password gets changed without warning to something unknown to the user.

I start to think this is a bug, and a potentially important security issue, that should be looked into.

In the mean time, can anyone please tell us what are the underlying technologies used to login as admin so we can look for a solution in the respective manuals? I guess LDAP is used. What server exactly? Is there anything not standard we should be aware of, or dependencies?

Thanks

Hi!

The documentation has some mistakes and is incomplete… That’s why you don’t have a /etc/slapd directory. We’ve started to talk about that here, it’s in progress, if you want to join, try, contribute… You’re welcome!

The admin password is never changed from the YunoHost code - at least not deliberately, we’re not insulated from a bug somewhere.

Just a regular LDAP server using OpenLDAP, from where all the users are stored - even the admin one.

Note that we use the /etc/ldap/slapd.conf file at first to generate the /etc/ldap/slapd.d which is then used by the LDAP database to provide the configuration. So, if you modify slapd.conf, it will only take effect after regenerated the slapd.d directory. Alternatively, you can change this behavior by modifying the file /etc/default/slapd - I think it’s related to SLAPD_CONF= - or try to remove the slapd.d directory before restarting slapd…

Thanks very much @jerome for this precious information.

I could simply regenerate the /etc/ldap/slapd.d from the /etc/ldap/slapd.conf as you suggest, adding my admin password to the file. But then will I lose the other users after resetting ?

If I understand correctly I could also modify the current settings with ldap_modify feeding it the content of an ldif file.

So I have tried, as root, to add olcRootPW but I get an error: insufficient access (50).

I am doing some research to understand how it should be done, but I’m no ldap expert so any help is welcome!

these are what I have found so far:
slapd config doc: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#contents
ldap insufficient access (50) error: http://serverfault.com/questions/732862/ldap-modify-insufficient-access-50-when-changing-password
ldap_add no such object (32): http://serverfault.com/questions/576473/ldap-add-no-such-object-32-matched-dn-dc-domain-dc-com

You will loose nothing. It’s just the configuration database, not the real one which contains your data - e.g. domains and users. You can maybe read this if it can help you to understand: OpenLDAP Software 2.4 Administrator's Guide: Configuring slapd or Chapter 6: OpenLDAP using OLC (cn=config).

In the case you’ve actually lost your admin password, you’ll not be able to do any operation in the LDAP directory due to a - maybe too much - strength ACL: even the root user has no rights… That’s why you have to edit the slapd.conf file.

Fantastic, again thanks for the links and info @jerome

So I ended up doing something I think is not really complete but I still don’t understand fully where is the admin user located:

• I edited the /etc/ldap/ldap.conf file adding my admin credentials at the end:
  rootdn "cn=admin,dc=yunohost,dc=org"
rootpw {SSHA}-pw generated with slappasswd-
• I stopped the service service slapd stop
• I moved /etc/ldap/slapd.d to /root/ just in case I would need it back later
• In /etc/ldap/ I did slaptest -f slapd.conf -F slapd.d, which created slapd.d back.
• service slapd start

And now I can login as a normal user and also as admin like before.
Do you think this is the complete procedure?

(by the way, I tried removing the slapd.d dir and restart slapd but it does not recreate the dir, it just uses the config file instead, which also works but does not seem to be recommended.)

Thanks a lot for your help. I’m glad I have my admin back and I hope it helps @dosch

I still wonder how it got changed in the first place. I hope it’s a bug and not malicious code.

Hi. I also would love to know how I can reset a forgotten admin password. I followed your described procedure but could not sign in with newly generated admin password. What is the official best practice for this? Quite a problem when the admin can not login anymore cause he/she forgot password.

@frog can you describe what is going wrong?

@bastien Well I tried to follow your instructions above, actually two times, but no success, can not login as admin. I will try this again now and give feedback. And yes, this is yunohost 2.4 … Can it really be that hard to reset admin password? What more detailed information can I give?

This situation seems to happen quite often if you look at a search on
the forum. The admin password gets changed without warning to something
unknown to the user.

I start to think this is a bug, and a potentially important security issue, that should be looked into.

That’s correct. I did not change my admin password and I’m certain I can remember the original one. How can this happen? Quite a critical bug in my opinion as well.

I’m considering to read OpenLdap Documentation to better understand the internal workings but I haven’t had time to do so yet (OpenLDAP Software 2.4 Administrator's Guide) …

@bastian: I finally managed to reset the password. Here are some fixes to your “script”:

1. Instead of editing ldap.conf I had to edit slapd.conf to add the new admin password
2. I had to create folder /etc/ldap/slapd.d before regenerating config files
3. I had to set the owner of slapd.d folder to openldap:openldap
4. after generating config files, I had to set owner of files in slap.d to “openldap:openldap”

@frog: Good to read that.

Actually I am not an expert when it comes to ldap / slapd. I just went to the doc and tried to figure out how it works and solved my issue.

It looks like your method is quite close to what I did, but instead of tweaking ldap, you did it on slapd. I can’t remember but I think I tried that and it did not work for me, and that’s why I had to do it on ldap.

Anyway I’m glad it works for you now. I sure hope I don’t have to come back to that thread to unlock my admin again. But I keep it in my bookmarks just in case.
Weird bug.

Is there a way that Yunohost might make it easier to solve this problem?
Admins getting locked out of there installation is pretty nasty stuff.

Hi guys,

thanks to this thread and discussion ! (I struggled with this issue many times now )

Based on the messages of @frog, @bastien and @jerome, I was able to write this small convenient script that allow to reset the admin password while being logged as root .

( You might want to backup /etc/ldap before using this, just in case)

# Generate new password hash
NEW_PASSWORD_HASH=`slappasswd -h {SSHA}`

# Stop slapd service...
service slapd stop

# Backup slapd.conf (to be restored at the end of script)
cp /etc/ldap/slapd.conf /root/slapd.conf.bkp

# Append lines to slapd.conf to manually define root password hash
echo 'rootdn "cn=admin,dc=yunohost,dc=org"' >> /etc/ldap/slapd.conf
echo "rootpw $NEW_PASSWORD_HASH" >> /etc/ldap/slapd.conf

# Test conf (might not be entirely necessary though :P)
slaptest -Q -u -f /etc/ldap/slapd.conf 

# Regenerate slapd.d directory
rm -Rf /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d/ 2>&1

# Set permissions to slapd.d
chown -R openldap:openldap /etc/ldap/slapd.d/

# Restore slapd.conf
mv /root/slapd.conf.bkp /etc/ldap/slapd.conf

# Restart slapd service
service slapd start

Thanks for your script! I think you should not copy and restore the original slapd.conf file since it will not be considered as manually-modified. In this case, at the next LDAP configuration upgrade, the file will be overridden by the YunoHost configuration regeneration. And finally, when the LDAP configuration database will be recreated using the slapd.conf - as it’s done in your script - the root password will also be reseted…

Thanks for the feedback. I’m not sure to totally understand what you’re pointing out though. My idea with restoring the original slapd.conf was to avoid case where you’re changing the admin password with the yunohost cli, but the lines in slapd.conf conflict with it. Or does the slapd.conf happens to be edited by some program ?

Shall I maybe use this script to set a temporary password, and add a call to yunohost tools adminpw at the end of it to properly set the new one ?

It’s related to the new configuration regeneration system - see the v2.4 release note. It allows to manage the configuration files’ update of each service - including LDAP and slapd.conf. When you modify by hand one of those configuration files, it will not be automatically regenerated regarding the YunoHost provided one. Instead, your local modifications will be kept. Conversely, if no modification has been made to this configuration file, it will be updated with the next YunoHost upgrade.

So, if you change the LDAP configuration file to set a new password, then regenerate the configuration database - regarding /etc/ldap/slapd.conf content and stored in /etc/ldap/slapd.d-, then put back the original slapd.conf file, it will be as if no local modification has been made to this file. Thus, this file will be updated with the next YunoHost upgrade - without the admin password. But, the configuration database will also be regenerated regarding /etc/ldap/slapd.conf content at the end of the upgrade, and the admin password will be lost again…

Uh, I’m not sure you understand the discussion here ? We were talking about the YunoHost admin password … not a Windows admin password

Btw, since this discussion, a new command was introduced in YunoHost to do the job :

yunohost-reset-ldap-password

Congrats, this is the top result in search engines!

Ignore everything above and just type:

yunohost tools adminpw