restore access to unifi controller

how-to-restore.md

Restore access to a unifi controller

When you are unable to login to the unifi controller or forgot admin password, you can restore access using SSH and manipulating mongodb directly.

Warning

Do not uninstall unifi controller - most of the data is not stored in mongodb. In case you thought a mongodb backup would be sufficient, you may have fucked up already, just like me. However I managed to write this "tutorial" for anyone to not run into the same trap.

Apparently this guide no longer works with recent unifi controller versions (starting nov/dec 2022). Since I no longer use unifi hardware in my home system, I can not update the guide myself. In case you've gotten here to recover your data, you're likely doomed. But giving it a try won't hurt anyway, therefore: good luck.

Steps

1. Generate password

Use quickhhash.com to generate a new password. Use sha512 / crypt(3) / $6$ with the any salt you like (I used 9Ter1EZ9$lSt6 in the example below, but it really doesn't matter).

I have generated a dummy password for you if you want to leave this step out. It is Ch4ngeM3VeryQu!ck:

$6$9Ter1EZ9$4RCTnLfeDJsdAQ16M5d1d5Ztg2CE1J2IDlbAPSUcqYOoxjEEcpMQag41dtCQv2cJ.n9kvlx46hNT78dngJBVt0

2. SSH to controller

SSH to the server running the unifi controller. In my case it's running on a raspberry pi.

3. Connect to mongodb

By default unifi comes with mongodb running on port 27117. To connect to it, use the mongo cli tool. Make sure it is installed.

Connect using the following command:

mongo --port 27117

When connected to mongo, execute the following commands to switch the database and verify the installation

use ace;
show collections;

It should show a list of collections, e.g. account, admin, alarm, broadcastgroup, ....

4. Fix

It is very likely that you got here because of power/data loss. You want to check if admins are still in the database. To do so, execute the following command in the mongo cli:

db.admin.find()

If the result is blank or you don't remember your password, there's two ways. Make sure to replace variables before executing commands.

4.1. Change password of existing user

db.admin.update({ name: "<YOUR-NAME-GOES-HERE>" }, { $set: { "x_shadow": "<PASSWORD-HASH-FROM-STEP-1-GOES-HERE>" } });

4.2. Create a new user

db.admin.insert({ "email" : "<YOUR-EMAIL-GOES-HERE>", "last_site_name" : "default", "name" : "<YOUR-NAME-GOES-HERE>", "time_created" : NumberLong(100019800), "x_shadow" : "<PASSWORD-HASH-FROM-STEP-1-GOES-HERE>" })

5. Get admin id

db.admin.find()

Will output something like this:

> db.admin.find()
{ "_id" : ObjectId("5d0a2e7e8f01c49af4cbe3cd"), "email" : "...", ... }

Take the contents of _id, in this case it is 5d0a2e7e8f01c49af4cbe3cd. You should remember it for the next steps.

6. Fix permissions

You will need to attach the admin role using db.privilege to the newly created user. The privilege belongs to an admin and a site_id.

Make sure to get your site_ids using the following command:

db.site.find()

It will show something like this:

> db.site.find()
{ "_id" : ObjectId("5d07b088280f9002d7676c87"), "name" : "super", "key" : "super", "attr_hidden_id" : "super", "attr_hidden" : true, "attr_no_delete" : true, "attr_no_edit" : true }
{ "_id" : ObjectId("5d07b088280f9002d7676c88"), "name" : "default", "desc" : "Default", "attr_hidden_id" : "default", "attr_no_delete" : true }

Once you know the ids of your sites, you can continue with creating privilege entries. You will need the admin id from step 5.

Use the following command for each site you got from db.site.find()

db.privilege.insert({ "admin_id" : "<ADMIN-ID-GOES-HERE>", "permissions" : [ ], "role" : "admin", "site_id" : "<SITE-ID-GOES-HERE>" });

Optionally verify that all privileges have been created using the following command:

> db.privilege.find()
{ "_id" : ObjectId("5d0bb7573d70717df47d5af6"), "admin_id" : "5d0a2e7e8f01c49af4cbe3cd", "permissions" : [ ], "role" : "admin", "site_id" : "5d07b088280f9002d7676c87" }
{ "_id" : ObjectId("5d0bb7573d70717df47d5af7"), "admin_id" : "5d0a2e7e8f01c49af4cbe3cd", "permissions" : [ ], "role" : "admin", "site_id" : "5d07b088280f9002d7676c88" }

7. Test

Now you're all set. You eventually want to restart the unifi controller using service unifi restart. You can login now. Good Luck.

@AmazingTurtle certainly lives up to the Amazing Name! Thankyou so much for putting this together. Was locked out following a backup restore

Hi @edisondotme, I think this is very unfortunate. When the site is gone, it might be that the settings assigned to it are gone as well - or - the backup has not restored correctly. There should be a site. I haven't checked too much of the the other collections in mongo.

But I think that checking those and looking for a foreign unreferenced site id would help in your case. Just check the other collections data and see if there is something of your interest. You might be able to create a new site with the unreferenced id (if you find one) in the mongo cli and then procceed as usual with my guide.

Thanks a lot for this info. The default instructions for migrating to a new Unifi controller talk about using the "restore from backup" option from the initial login screen from the new controller, and do not talk about the need to create a new admin user first. I had assumed that restore the backup would have restored the admin accounts as well, you know, like restoring a backup. This saved me from having to blow away the install and the database and start again. Thanks!

Just have to say thank you for write this. You've helped me not only fix my controller but also teach me about how mongodb work and how it uses it to store data. Very cool! Can't thank you enough!

You are a lifesaver! Somehow my controller lost my entire configuration, including the admin user account. I found random stuff about mongo and ace, and figured out how to insert a user, but I had no clue about the permissions. Your steps got me able to get to the dashboard and restore a good backup. Thanks!!!!

Thank you very much! You save my day and even more!

The man is legend. I mean amazing. Thank you it worked perfectly first try.
one note though, my network came back with all devices greyed out.
but I was able to GUI restore and get full control back for the win

@lukasware how did you do the GUI restore?

Go to System Settings > Advanced and click the Restore in the "Restore Device" section.
https://help.ui.com/hc/en-us/articles/204952144-UniFi-How-to-Create-and-Restore-a-Backup

Were I smart, I would have stayed in ssh and restored from there but above worked.

Hi,

This does not work for controller version 6.4.54

Anyone knows what is the new hash for this version?

Thanks a lot, it helped me, was stuck. All good for you)

For version 6.5.54 I had to add dashboard information in step 4.2 or login would not work

db.dashboard.find()
{ "_id" : ObjectId("<DASHBOARD-ID>"), "attr_hidden_id" : "Default", "attr_no_edit" : true, "attr_no_delete" : true, "name" : "System Default", "is_public" : true }

db.admin.insert({ "email" : "<YOUR-EMAIL-GOES-HERE>", "last_site_name" : "default", "name" : "<YOUR-NAME-GOES-HERE>", "time_created" : NumberLong(1553598427), "x_shadow" : "<PASSWORD-HASH-FROM-STEP-1-GOES-HERE>", "ui_settings" : { "dashboardConfig" : { "lastActiveDashboardId" : "<DASHBOARD-ID>", "dashboards" : { "<DASHBOARD-ID>" : { "order" : 1 } } } } })

Just ran through these steps on v7.1.61 and it worked perfectly. Thank you very much!

Amazing! Works good on v7.1.65! Thank you!

This really helped a lot. Thanks for the detailed explanation!

still going strong for unifi7, youre a life saver!

Thank you all for this advice. I am kinda stuck here though...

I am getting a syntax error: unexpected token, expected

This is occurring at the beginning of "last_site_name" :

Any advice?

Thanks in advance.

I love you :-) Thanks for helping out with this article!

Hello guys,
Im having problem with a admin insert command.
I tried
db.admin.insert({ "email" : "<it@test.com>", "last_site_name" : "default", "name" : "<admin>", "time_created" : NumberLong(1553598427), "x_shadow" : "<$6$bRcz9HtZ$W3RAnJEx12jO.jXygvnuYZOIrsbIvt0t2R0wtN/WgUQqPpLTtVp6H5DOhjycTPpdZxx/orIO4bq6k9WndcQ0U0>", "ui_settings" : { "dashboardConfig" : { "lastActiveDashboardId" : "<DASHBOARD-ID>", "dashboards" : { "<DASHBOARD-ID>" : { "order" : 1 } } } } })
and
db.admin.insert({ "email" : "it@test.com", "last_site_name" : "default", "name" : "admin", "time_created" : NumberLong(100019800), "x_shadow" : "$6$bRcz9HtZ$W3RAnJEx12jO.jXygvnuYZOIrsbIvt0t2R0wtN/WgUQqPpLTtVp6H5DOhjycTPpdZxx/orIO4bq6k9WndcQ0U0" })
But every time i got a error:
MongoshInvalidInputError: Argument at position 0 must be of type string, got num ber instead

And the x_shadow is just "password" 📦
Anynone know whats up?

Thanks is advance.

You rock! thanks for this

I tried this - and I can log in but I get a blank page. I had two users (because I restored from a backup) and I just inserted a new one with the above procedure. The problem is just that blank page once authenticated :(

@heffneil Same issue for me.

well glad im not alone. I ended up using legacy interface, exporting the site and importing to the new controller. I had other major issues and had to roll back but it was far more successful if you need or want a workaround.

I am getting rid of my UniFi Dream Machine (it doesn't do things I want it to).
So I need to adopt all my AP's and Switches out of it into a hosted controller.
I downloaded the backup out of the UDM (application backup) and restored it into a controller on a docker container.
Could not login.
This post saved me! I was able to login, confirm everything is there and adopt my devices to my new controller without losing any config.

Thank you very much! I have all but given up on the Unifi controller at my parents' house after a power outage has resulted in a corrupted database. Your guide was the only one that helped!

Thank you for this. And by the way, it still works. I just did this on an Ubuntu Unifi v7.3.83. Did a restore of a large network from a UDM Pro to Linux since the UDM was way undersized. Restore worked great but no credentials worked because they are stored in the DM OS and not in the network app.

thanks man!

Hi together,
thanks a lot for this great explanation. It still works... For the hash code I used this page [https://tomi.cc/hash/]. The initial mentioned one is not available anymore.

I had the issue that my local administrator was away at one moment and I was not able to login anymore with these credentials. With this hoot I was able to add a new administrator with successful access to the controller GUI (cloud key 1st gen). But could it be that I have not the same permissions than my former admin account (which is not visible/available anymore)???

Thanks a lot in advance!

This works, in a way.

I am moving from one controller to another, making an export backup on one controller and restoring it on the other, inserting the same password on the new one does not work.
Using the commands in this guide shows that there is no user, so I made one and could log in but the new user is only admin, not owner. So some settings are missing, like backup and multi site management.

Edit:
I got it sorted out, in step 6 I also made my user admin of the
{ "_id" : ObjectId("5d07b088280f9002d7676c87"), "name" : "super" ..
site.

that saved the day, you can't imagine how grateful I'm for this guide