It happens... you've try out Bumblebee and then some time later try to use it again but can't remember the admin password. Or the person who has been looking after Bumblebee leaves an you need to take over the installation. How can you unlock the installation?

What you can't do

The thing you can't do is recover the original password as passwords are stored in an MD5 hash which is a one-way function that allows Bumblebee to verify that the password you have typed in is correct (i.e. md5(x) = md5(y) means that the password is correct) but given the MD5 hash, it's not feasible to calculate the password (i.e. the problem "if z = md5(x) what is x?" cannot easily be solved) more on MD5).

If someone with admin rights can still log in, then they can change the password on another account using the users form. This is clearly the simplest method of unlocking an installation and should always be what you try first!

From version 1.0.3, you can instruct Bumblebee to waive its security settings by changing configuation options in the bumblebee.ini file. The default bumblebee.ini has the following entries in it (extra comments and settings removed for clarity):

 authAdvancedSecurityHole = false
 verboseFailure = false
 recoverAdminPassword = false

If you need to change these options, then make sure you do the following:

  1. change the config options as described here
  2. unlock your installation
  3. change the config options back to the defaults
  4. check that you can log in with the correct username and password
  5. check that you cannot log in with an incorrect username or password

Why can't I log in?

The first step is to find out why Bumblebee won't let you log in. It might be that the password has been lost, or it might be that your configuration makes the username invalid or your external LDAP server has failed (you are strongly discouraged from using external servers for authenticating the only admin user!). Normally, Bumblebee is quite terse when a login fails and (for security reasons) never tells the user why the login failed. To find out why Bumblebee won't let you log in, change these settings to:

 authAdvancedSecurityHole = true
 verboseFailure = true
 recoverAdminPassword = false

When you next try to log in, the "Login failed" error message will have further details as to why you couldn't log in.

Solving login problems

Bad username

The login error "bad username" means that the username is not valid according to the configuration options you have set in bumblebee.ini. A common problem is that prior to 1.0.3, usernames were set to be lowercase only by default. If you want to change the default settings for usernames for your site, change the value of validUserRegexp.

Username doesn't exist in table

The username you have specified doesn't exist. Bumblebee can't let you log on if it doesn't know anything about you at all. If you can't remember what your username is either, then you'll have to have a look at the users table in your database using something like phpMyAdmin or the MySQL command line tools.

This account is suspended

The system administrator may prevent a user from logging in by marking the user as being "suspended". You can remove this suspension using either the password resetting techniques described below or by editing the users table in your database using something like phpMyAdmin or the MySQL command line tools.

RADIUS/LDAP/etc auth failed

The external authentication function was unable to authenticate your for some reason... If you are using LDAP, then the ldap.ini file has some extra debugging options in it. But you don't have your only admin login relying on an external server, do you?

Bad password: resetting the password

So you really do need to reset the password on your only admin account... To do this, you must instruct Bumblebee to let you log in when you have entered an incorrect password. Once again, this can be done in bumblebee.ini:

 authAdvancedSecurityHole = true
 verboseFailure = true
 recoverAdminPassword = true

You can then enter the username and anything for the password (you must enter something!) and it will let you log on. You can then either change the password using the "Change Password" link in the menu or using the users form.

Remember to turn password checking back on otherwise anyone who can guess a correct username will be able to log in to your installation.

Last edited: Wednesday April 19, 2006

Valid XHTML 1.1 Valid CSS 2