Can't change Plone admin user's password

I installed Plone 6 on a new server using Docker. Everything works great, but when I go to the site, it seems like it automatically created an admin user with the password admin. That seems really unsafe, so I tried to change it, but when I go to the user preferences, change password is not one of the options. And when I go to zope… in acl_users, I’m also not able to find the admin user. Is this some kind of special admin user that can’t be found in Plone’s normal user management?

I suspect you're at the root of the plone site. You must change the admin user’s password at the root of zope: http://localhost:8080/acl_users/users/manage_users.

i’m not able to access that… i go to my site https://mysite.com/ and it’s the plone site… if i go to http://mysite.com:8080 then it doesn’t load. Here’s what my nginx.conf file looks like, which might explain why… it redirects http to https…

# HTTP: redirect to HTTPS, but serve Let's Encrypt challenge files

server {

listen 80;

    server_name mysite.com;




    location /.well-known/acme-challenge/ {

        root /var/www/certbot;

    }




    location / {

return 301 https://$host$request_uri;

    }

}




# HTTPS: reverse proxy to Plone backend

server {

listen 443 ssl;

   server_name mysite.com;




   ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;

   ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;




   client_max_body_size 64m;




   location / {

       proxy_pass http://backend:8080/VirtualHostBase/https/mysite.com:443/Plone/VirtualHostRoot/;

       proxy_set_header Host $host;

       proxy_set_header X-Real-IP $remote_addr;

       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

       proxy_set_header X-Forwarded-Proto $scheme;

   }

}

go to your site IP:8080, it will work. You can also try to use this url:

https://mysite.com/../acl_users/users/manage_users

You could also change the password command line but plone distribution seems to miss the zope.password package, can someone correct me if not?

Anyway, I think an entry point in the dockerfile should be added to change zope user passwords, like there's one to create the user:

Hi,

To avoid this kind of security issue, we use collective.big.bang. It creates the Plone site on Zope startup and lets you set the Zope admin password via the ADMIN_PASSWORD environment variable (you also need ACTIVE_BIGBANG=True).

And in your case, your proxy “override” access to zope admin, so you can use “aq_parent” trick to access to zope admin like: https://mysite.com/aq_parent/acl_users/users/manage_users

1 Like