Password reset for administrator's account

In some cases, the password for the system administrator (sysadmin) needs to be reset using the backend. To do that, follow the instructions below.

First, you need to assign a Super Security Admin role to one of your existing users. This user will be granted admin access specifically for resetting the sysadmin password. Once you are done with password reset for sysadmin, you can revoke this access from the user .

Follow below steps in your non-production environment first and if it works for you, you can use it with the production environment as well.

1. Connect to a database.

• Login to the server.
• Get the database container ID ()

Example: if you use Docker and MariaDB, run.

sudo docker ps | grep mariadb | awk '{print $1}'

In case you use any other database, please connect to it as usual.

With the commands above, you will get the list of all containers. Search for your container and get the container ID of your database. Another way to get your DB Container ID is to replace yourDbName with your database name in the below command.

sudo docker ps | grep yourDbName | awk '{print $1}'

• Once you get the DB Container ID, run

sudo docker exec -it containerid bash

Note: Replace containerid in the above command with the DB container ID.

• Enter the DB credentials.
• To get the list of databases, run

show databases

• You need to use OpenIAM database, hence run

use openiam

2. Run the insert command in your database (use the USER_ROLE table) for the user to whom you want to give temporary admin access.

3. Perform the following insert statement.

insert into USER_ROLE(USER_ID,ROLE_ID,MEMBERSHIP_ID) values('8a80811590825838019082f37d4201f5','9','TEMP_ADMIN_MEMBER');

In the query

• USER_ID is the column, which should have your user ID which you can get from LOGIN table, e.g. USER_ID is selected from LOGIN, where LOGIN='your user name'. Put username of the user you want to make a temporary admin;
• ROLE_ID should be set to '9' as shown above, this value is used for Super Securiy Admin role.
• MEMBERSHIP_ID (Primary Key) has a value of TEMP_ADMIN_MEMBER.

4. Once you are able to insert the record in this table, you need to call to rebuild API for authentication graph by running a curl command given below.

If OpenIAM is installed via Docker

• Login to the server.
• Get the ESB Container ID, by running

sudo docker ps | grep esb | awk '{print $1}'

• After, run

sudo docker exec -it containerid bash

Note: Replace containerid in the above command with the ESB container ID.

• Inside the ESB container, run the below command

curl http://localhost:9080/openiam-esb/authmanager/rebuildGraph

If OpenIAM is installed via RPM

Login to the server and run the following commands.

sudo su
curl http://localhost:9080/openiam-esb/authmanager/rebuildGraph 

5. After this, the user to whom you are giving a temporary admin access, will have access to OpenIAM webconsole. Please, login as the user and find sysadmin (or any other admin account that you lost password for) and click on the Reset password section in the left menu, and proceed with reset password.

6. Afterwards, login as a user for whom we just performed reset password to make sure it works properly before removing the role from temporary admin user.

7. You might be prompted to reset the password again. If so, enter the current password (the one you just set) and provide a new password in the new password fields.

8. Save these changes.

9. Attempt to log in using the new credentials to sysadmin.

10. Revoke the access once you are done with sysadmin password reset, by removing the Super Security Admin role under user Entitlements section for the user you gave temporary access to. To do that, search for the user in webconsole go to User Entitlements > Roles > Remove the role named Super Security Admin.