ocis icon indicating copy to clipboard operation
ocis copied to clipboard

Published 20 hours ago verified publisher icon owncloud

Reseting password via cli doesn't work

Open ScharfViktor opened this issue 9 months ago • 16 comments

https://doc.owncloud.com/ocis/5.0/deployment/general/general-info.html#password-reset-for-the-admin-user

ocis version: 5.0.2 and master

steps:

  • run ocis binary
  • go to the terminal and reset password ocis/bin/ocis idm resetpassword

Expected: password is changed Actual: error:

vscharf:ocis scharfviktor$ ocis/bin/ocis idm resetpassword
Resetting password for user 'uid=admin,ou=users,o=libregraph-idm'.
Enter new password: 
Re-enter new password: 
{"level":"error","service":"idm","db":"/Users/scharfviktor/.ocis/idm/ocis.boltdb","error":"timeout","time":"2024-05-02T13:04:07+02:00","message":"Error opening database"}
Failed to open database: 'timeout'. Please stop any running ocis/idm instance, as this tool requires exclusive access to the database.
timeout
  • reseting password using web/graph api https://localhost:9200/graph/v1.0/me/changePassword works fine.
  • admin can see password in the config/ocis.yaml but after reseting password via web ocis.yaml the password is not overwritten. that means if admin forgot password second time -> he will not be able to regain access

CC @mmattel @mfeilner

ScharfViktor avatar May 02 '24 11:05 ScharfViktor

Note that we must add a reset pwd test case to our test suite to catch such issues.

mmattel avatar May 02 '24 11:05 mmattel

Note that we must add a reset pwd test case to our test suite to catch such issues.

We are currently not testing cli commands. The end user facing feature uses the graph api

micbar avatar May 02 '24 11:05 micbar

We are currently not testing cli commands. The end user facing feature uses the graph api

Maybe not atm, but we should. As @ScharfViktor stated, we now have the situation that an admin is locked out of his instance if he had forgotten his pwd and he cant reset it - since v5! Such major issues must not happen.

mmattel avatar May 02 '24 11:05 mmattel

@ScharfViktor

You should stop ocis and try again.

micbar avatar May 02 '24 11:05 micbar

You should stop ocis and try again.

oops, right!

might we write it to the docs? or it's obvious and I didn't know it?

ScharfViktor avatar May 02 '24 12:05 ScharfViktor

@micbar should we rewrite ocis.yaml after password change? if not -> we should change docs:

Screenshot 2024-05-03 at 09 16 51

ScharfViktor avatar May 02 '24 12:05 ScharfViktor

oops, right!

Ok for the binary deployment. How are we dealing with ocis in the container, doesn't it try to restart automatically when ocis stopped? Which would mean we never can reset the pwd? I may be wrong...

mmattel avatar May 02 '24 12:05 mmattel

When you stop the container, it is stopped and will not restart. The main challenge in this is to get the same config context. I have no direct solution in mind, needs thinking

micbar avatar May 02 '24 12:05 micbar

I have no direct solution in mind, needs thinking

👍 Suggesting we should make the reset pwd command not blocking the db access which would solve the issue on both deployment versions. Just my 2c.

mmattel avatar May 02 '24 13:05 mmattel

👍 Suggesting we should make the reset pwd command not blocking the db access which would solve the issue on both deployment versions. Just my 2c.

Needs thinking. IMHO p4. We have a solution.

micbar avatar May 02 '24 14:05 micbar

We have a solution.

Sorry to instist, mind to explain me how we do it with our containers? Happy to add that procedure to the docs --> needed for all of our install guides.

mmattel avatar May 02 '24 17:05 mmattel

  1. get containerId: docker ps
  2. run the command: docker exec -it containerId ocis idm resetpassword
Screenshot 2024-05-02 at 20 49 31

ScharfViktor avatar May 02 '24 18:05 ScharfViktor

Guide for a normal docker compose

ocis traefik example

docker compose stop ocis
 ✔ Container ocis_traefik-ocis-1  Stopped

docker run --rm -ti \
-v ocis_traefik_ocis-config:/etc/ocis \
-v ocis_traefik_ocis-data:/var/lib/ocis \
owncloud/ocis:latest \
idm resetpassword

Resetting password for user 'uid=admin,ou=users,o=libregraph-idm'.
Enter new password: 
Re-enter new password: 
Password for user 'uid=admin,ou=users,o=libregraph-idm' updated.

NOTE:

  • I see an error popping up 2024/05/03 08:53:39 INFO memory is not limited, skipping: %v package=github.com/KimMachineGun/automemlimit/memlimit !BADKEY="memory is not limited" which is not a problem but ugly
  • The value in the ocis.yaml is not changed (which is also not an issue)

micbar avatar May 03 '24 08:05 micbar

Thanks a lot, I will incoroprate the info asap to the admin docs! When done, I will close that issue.

mmattel avatar May 03 '24 09:05 mmattel

Thanks a lot, I will incoroprate the info asap to the admin docs! When done, I will close that issue.

I see that in the docs you are not working with the -v volumes syntax but with -m(mounts). That should also work in a similar way, as long as you have the correct volumes. idm resetpassword needs both: the config volume and the data volume.

micbar avatar May 03 '24 10:05 micbar

I see that in the docs you are not working with the -v volumes syntax but with -m(mounts)

This is a legacy I will correct with the upcoming reset pwd docs change - thanks for the tip.

mmattel avatar May 03 '24 16:05 mmattel