Password reset for administrator's account
In some cases, the password for the system administrator (sysadmin) needs to be reset using the backend. To do that, follow the instructions below.
First, you need to assign a Super Security Admin role to one of your existing users. This user will be granted admin access specifically for resetting the sysadmin password. Once you are done with password reset for sysadmin, you can revoke this access from the user .
Follow below steps in your non-production environment first and if it works for you, you can use it with the production environment as well.
- Connect to a database.
- Login to the server.
- Get the database container ID ()
Example: if you use Docker and MariaDB, run.
sudo docker ps | grep mariadb | awk '{print $1}'
In case you use any other database, please connect to it as usual.
With the commands above, you will get the list of all containers. Search for your container and get the container ID of your database.
Another way to get your DB Container ID is to replace yourDbName
with your database name in the below command.
sudo docker ps | grep yourDbName | awk '{print $1}'
- Once you get the DB Container ID, run
sudo docker exec -it containerid bash
Note: Replace containerid
in the above command with the DB container ID.
- Enter the DB credentials.
- To get the list of databases, run
show databases
- You need to use OpenIAM database, hence run
use openiam
Run the insert command in your database (use the
USER_ROLE
table) for the user to whom you want to give temporary admin access.Perform the following insert statement.
insert into USER_ROLE(USER_ID,ROLE_ID,MEMBERSHIP_ID) values('8a80811590825838019082f37d4201f5','9','TEMP_ADMIN_MEMBER');
In the query
USER_ID
is the column, which should have your user ID which you can get fromLOGIN
table, e.g.USER_ID
is selected fromLOGIN
, where LOGIN='your user name'. Put username of the user you want to make a temporary admin;ROLE_ID
should be set to '9' as shown above, this value is used for Super Securiy Admin role.MEMBERSHIP_ID
(Primary Key) has a value ofTEMP_ADMIN_MEMBER
.
- Once you are able to insert the record in this table, you need to call to rebuild API for authentication graph by running a curl command given below.
If OpenIAM is installed via Docker
- Login to the server.
- Get the ESB Container ID, by running
sudo docker ps | grep esb | awk '{print $1}'
- After, run
sudo docker exec -it containerid bash
Note: Replace containerid
in the above command with the ESB container ID.
- Inside the ESB container, run the below command
curl http://localhost:9080/openiam-esb/authmanager/rebuildGraph
If OpenIAM is installed via RPM
Login to the server and run the following commands.
sudo sucurl http://localhost:9080/openiam-esb/authmanager/rebuildGraph
After this, the user to whom you are giving a temporary admin access, will have access to OpenIAM webconsole. Please, login as the user and find sysadmin (or any other admin account that you lost password for) and click on the Reset password section in the left menu, and proceed with reset password.
Afterwards, login as a user for whom we just performed reset password to make sure it works properly before removing the role from temporary admin user.
You might be prompted to reset the password again. If so, enter the current password (the one you just set) and provide a new password in the new password fields.
Save these changes.
Attempt to log in using the new credentials to sysadmin.
Revoke the access once you are done with sysadmin password reset, by removing the Super Security Admin role under user Entitlements section for the user you gave temporary access to. To do that, search for the user in webconsole go to User Entitlements > Roles > Remove the role named Super Security Admin.