•  30-05-2022
  •  | 
  •  

Frage

I have to deal with an old CMDBUild, but unfortunately, noone have the superuser password. So I would like to change it directly in the postgres database.

I manage ton connect to cmdbuild database in psql. I have a table call User, but a select * from User; only gives me : 

current_user 
--------------
 postgres
(1 row)

but SELECT column_name FROM information_schema.columns WHERE table_name ='User'; gives me more columns :

 column_name 
-------------
 Id
 IdClass
 Code
 Description
 Status
 User
 BeginDate
 Notes
 Username
 Password
 Email
(11 lignes)

So the first select seems wrong, where are the 10 others columns ? Besides, I found theses lines in CMDBuild Technical Manual, I try it but without results.

execute the following SQL commands to create the "Superuser" user (in the example with
username admin and password admin):

INSERT INTO "User" ("Status", "Username", "IdClass", "Password", "Description") VALUES ('A', 'admin',
'"User"', 'DQdKW32Mlms=', 'Administrator');
INSERT INTO "Role" ("Status", "IdClass", "Administrator", "Description") VALUES ('A', '"Role"', true,
'SuperUser');
INSERT INTO "Map_UserRole" ("Status", "IdClass2", "IdClass1", "IdObj2", "IdObj1", "IdDomain") VALUES ('A

Can someone help me to recover or ersase the superuser password in CMDBuild ? Thanks in advance.

War es hilfreich?

Lösung

It sounds like this "CMDBuild" tool uses its own user tables, rather than the built-in PostgreSQL users and roles.

Before you do anything else, make a full backup of your database.

If you want to recover the existing password you'll need to find out if it's salted and hashed or stored in plaintext. If it is stored as plaintext, berate the CMDBuild developers angrily until they promise to fix it in the next release.

If it's plaintext, well:

select "Username", "Password" from "User" where "Username" = 'admin';

If logging in with the resulting password doesn't work then it's probably hashed in which case you'll need to figure out what algorithm is used. Going by the above example statement, it's probably just unix crypt. You can put the extracted password into a text file and run Jack the Ripper or a similar cracking tool on it.

If you don't succeed in cracking it, well, if you've identified how it's hashed you can hash a new password and store that with something like:

 UPDATE "User" SET "Password" = "sdgfsdf" WHERE "Username" = 'admin';

replacing the placeholder text above with the hash you generated.

(John the Ripper doesn't seem to understand the example password, meaning it's either unhashed or not in a commonly recognised format like unix crypt).

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top