How to change Opal admin password from WebUI

Support Beginner Support
1

It’s possible to change the default admin password while setting up Opal, but is it also possible to change it afterwards from the web UI.

If not, I suppose enabling 2FA is the next best thing?

2

Hi,

It is not possible, it has to be done manually on the server. This default user is more for the initial setup, and should not be used on a day to day basis. The best practices are:

As the (default) administrator

  • login
  • enable 2FA
  • create a real user (your name) so that the audit tracks your personal activity and add it to an admin group (call it “opal-admin” for instance, the name does not matter)
  • grant this group full administration permission: go to Administration > General settings > Permissions and add group permission (choose “Administrate”)
  • logout

As the new admin user

  • login
  • enable 2FA
  • verify you have all permissions
  • for any scripting operations: use personal access tokens

Regards
Yannick

1 Like
3

Thank you.

The alternative would be to edit the shiro.ini file I presume?

4

The password must be hashed, instructions are in the shiro.ini file. https://opaldoc.obiba.org/en/latest/admin/configuration.html#user-directories

1 Like
5

And what do I have to do to update changes?

Restarting the opal process does not seem to update the shiro.ini passwords immediately (i can still log-in with the previous credentials)

6

Restart server is enough. That means you modified the wrong shiro.ini file.

1 Like
7

I have double checked and it seems to be the correct shiro.ini file. (dir matches output of which opal)

I restart the server with: sudo systemctl restart opal.service

On the administrator user profile the following message appears:

Password

Your account was defined in the user directory “opal-ini-realm”. Please contact your system administrator to change the password in this directory.

8

Okay, maybe the issue is too verbose.

I recorded a video of myself changing the admin password and it not updating. Hopefully, this will let others see what the issue looks on my end:

  1. I use the shiro-hasher to get a new password
  2. Update the conf/shiro.ini file
  3. Restart opal
  4. But it still expects the old password

What could be the reason?

9

Hi,

For the record of others, Ahmet was modifying the shiro.ini file from the Opal distribution folder (/usr/share/opal that contains the binaries and the default config), instead of the one from the Opal local installation: /etc/opal.

Following the common layout of application installation on linux systems:

  • /usr/share/opal is the distribution folder (replaced when upgraded)
  • /var/lib/opal is the local data folder
  • /etc/opal is the configuration folder
  • /var/log/opal is the log folder

Regards
Yannick

1 Like