It happens... you've try out Bumblebee and then some time later try to use it again but can't remember the admin password. Or the person who has been looking after Bumblebee leaves an you need to take over the installation. How can you unlock the installation?
The thing you can't do is recover the original password as passwords are stored in an MD5 hash which is a one-way function that allows Bumblebee to verify that the password you have typed in is correct (i.e. md5(x) = md5(y) means that the password is correct) but given the MD5 hash, it's not feasible to calculate the password (i.e. the problem "if z = md5(x) what is x?" cannot easily be solved) more on MD5).
If someone with admin rights can still log in, then they can change the password on another account using the users form. This is clearly the simplest method of unlocking an installation and should always be what you try first!
From version 1.0.3, you can instruct Bumblebee to waive its security settings by changing
configuation options in the bumblebee.ini file.
The default bumblebee.ini has the following entries in it
(extra comments and settings removed for clarity):
[auth] authAdvancedSecurityHole = false verboseFailure = false recoverAdminPassword = false
If you need to change these options, then make sure you do the following:
The first step is to find out why Bumblebee won't let you log in. It might be that the password has been lost, or it might be that your configuration makes the username invalid or your external LDAP server has failed (you are strongly discouraged from using external servers for authenticating the only admin user!). Normally, Bumblebee is quite terse when a login fails and (for security reasons) never tells the user why the login failed. To find out why Bumblebee won't let you log in, change these settings to:
[auth] authAdvancedSecurityHole = true verboseFailure = true recoverAdminPassword = false
When you next try to log in, the "Login failed" error message will have further details as to why you couldn't log in.
bumblebee.ini.
A common problem is that prior to 1.0.3, usernames were set to be lowercase only
by default. If you want to change the default settings for usernames for your site,
change the value of validUserRegexp.
The username you have specified doesn't exist. Bumblebee can't let you log on
if it doesn't know anything about you at all. If you can't remember what your username
is either, then you'll have to have a look at the users table in your
database using something like phpMyAdmin or the MySQL command line tools.
The system administrator may prevent a user from logging in by marking the user as being
"suspended". You can remove this suspension using either the password resetting techniques
described below or by editing the users table in your
database using something like phpMyAdmin or the MySQL command line tools.
The external authentication function was unable to authenticate your for some reason... If you are using LDAP, then the ldap.ini file has some extra debugging options in it. But you don't have your only admin login relying on an external server, do you?
So you really do need to reset the password on your only admin account...
To do this, you must instruct
Bumblebee to let you log in when you have entered an incorrect password.
Once again, this can be done in bumblebee.ini:
[auth] authAdvancedSecurityHole = true verboseFailure = true recoverAdminPassword = true
You can then enter the username and anything for the password (you must enter something!) and it will let you log on. You can then either change the password using the "Change Password" link in the menu or using the users form.
Remember to turn password checking back on otherwise anyone who can guess a correct username will be able to log in to your installation.
