Upgraded from 2.8.3 to 3.0.1

midder wrote on Tuesday, September 01, 2009:

Hello.

Today I did a test upgrade from 2.8.3 to 3.0.1. I guess technically it’s 3.0.0.1? That’s what the UI says. After the upgrade, I am unable to login with my admin user. Is this a known issue? Or is there something I need to check?

Thanks.
Brian

bradymiller wrote on Tuesday, September 01, 2009:

hey,
  This is a known issue, since the upgrade into 3.0+ requires a couple more steps (your unable to login because the access controls aren’t set up). Answer the following three question, and I can then give you the correct additional upgrade instructions:

1) Do you have php-gacl installed?
2) Do you have sql-ledger installed?
3) Do you have a user called ‘admin’?

-brady

midder wrote on Tuesday, September 01, 2009:

Thanks Brady

1. No
2. No
3. Yes

bradymiller wrote on Tuesday, September 01, 2009:

hey,
nice, you get the easy method. (ensure you have a back up before proceeding, just in case)

1) Open openemr/gacl/setup.php in web browser
2) Open openemr/acl_setup.php in web browser
3) Log into openemr as ‘admin’. Add your users to access control groups in the admin->acl interface within OpenEMR.

-brady

midder wrote on Tuesday, September 01, 2009:

Worked perfectly. Thank you Brady.

This means that I’m now using gacl? Is there much of a difference for the users of the system?

bradymiller wrote on Tuesday, September 01, 2009:

hey,

Yep, your now using gacl. The authorize vs unauthorized users is a thing of the past. Check out the admin->acl interface, and you’ll note there are 5 groups there (administrators, physicians, etc.); just place your users in at least one group. You can create groups and modify what the groups see in the bottom part of interface. The administrator can basically do everything, while other groups control use (for example ‘front office’ can’t see patients medical records’). On the appliance 3.1.0 demo (link below), I have users with different acl groups set up to give you an idea of what each can access:
http://bradymd.com/appliance/demos.html

-brady

penguin8r wrote on Friday, September 18, 2009:

Ran into this same problem doing a 2.9.0 to 3.1.0 upgrade.
System won’t let me log in with any user accounts, & the OpenEMR login page has an error message permanently embedded on it that says
"Invalid username or password"
"admin attempted unauthorized login on this machine"

This, of course, is complete BS, since I have the correct username & password, tried the procedure for switching to OpenEMR’s built in GACL, didn’t help at all.
Anyone got any ideas?  If I don’t get this working by Monday there’s going to be some seriously angry people.
Can I totally disable GACL temporarily some way to get past this?
What’s the long term solution to this problem?

Thanks to anyone & everyone who can help!

penguin8r wrote on Friday, September 18, 2009:

Update:  I tried completely disabling GACL via acl.inc hoping to at least gain temporary access to the system.  Doesn’t help at all, & now the red error message is somehow permanently embedded in the login page.  How to fix?  Is there some kind of new security feature in OpenEMR 3.1.0 that’s locked me out of the system?  manually edit db table?
Or do I just forget the whole thing , restore from backup & leave the system trapped at 2.9.0?

bradymiller wrote on Friday, September 18, 2009:

hey,

Answer these questions and I can give you instructions:

1) Do you have php-gacl installed?

2) Do you have sql-ledger installed?

3) Do you have a user called ‘admin’?

Also, out of curiosity, what exact steps did you do?

-brady

penguin8r wrote on Monday, September 21, 2009:

1)  Yes, I did have the external php-gacl installed, I tried doing the db import with gacl_ prefix into the openemr db, didn’t seem to help.

2) No, no sql-ledger, they weren’t trying to do any billing at the time.

3) Yes

Basically I followed the steps in the upgrade guide in the other thread.  Extracted new openemr, edited globals.php where necessary, & filled in sql user & password in sqlconf.php, then ran the sql-upgrade script.  After that I ran your php script to add gacl_ prefix in gacl database, & imported gacl db data into OpenEMR db & ran the acl upgrade script.  Then just to be safe I restarted MySQL before I tried to log in.
I tried the whole procedure twice, got the same result, then tried it again on another 2.9 system & it always results in an unuseable system that denies all logins.

bradymiller wrote on Monday, September 21, 2009:

hey,

Did you follow these exact instructions:

1) Move old openemr directory to a backup directory

2) Move new version into openemr directory

3) Copy following directories from old version to new /openemr directory:
/openemr/documents
/openemr/edi
/openemr/era
openemr/custom/letter_templates

4) Edit openemr/interface/globals.php (set $webserver_root and $web_root to be same as old version)

5) Open up your old openemr version openemr/library/sqlconf.php file and transfer the variables to your new openemr version file

6) In the openemr/library/sqlconf.php file in the new version, set the $config variable (found near bottom of file within bunch of slashes) to 1 ($config = 1;).

7) Place the gacl_ prefix on all tables in your php-gacl database (I put a link to a php hack that will do this at bottom of this message)

8) Save your modified php-gacl database to a mysql backup file (use ‘mysqldump’ command)

9) Restore the gacl database backup file into your openemr database (use ‘mysql’ command) (thus you have now combined the gacl and openemr databases)

10) Open sql_upgrade.php in browser and follow instructions (this will upgrade your sql database)

11) Open openemr/acl_upgrade.php in browser (this will upgrade your gacl)

12) Configure optional settings in interface/globals.php and includes/config.php files

Here’s the link to the custom php hack that will put prefix on your tables:
http://bradymd.com/prefixMod.tar.gz
Unpackage, then place on your server and run it through your browser. For ‘Enter New Prefix’ ensure you put ‘gacl’. And again your gonna put your gacl database name for ‘Enter database name:’. Remember to remove this script when you are done.

I’d suggest making a testing server to try/retry this until you get it to work. Then when get it working from start to finish, can upgrade your productions versions.

Some things to note in above instructions:

-do the gacl migration before the sql_upgrade.php script. In upgrade from 3.0.1 to 3.1.0 some changes are made to the gacl tables to ensure compatible with UTU-8 (note it doesn’t convert to UTF-8, it just makes it compatible with a conversion if a user chooses to do this at some point)

  • Do not edit any of the gacl config files (in 3.1.0 this is no longer needed; they grab needed stuff from library/sqlconf.php)

  • Ensure before you upgrade that you indeed do have an ‘admin’ user in the php-gacl program (in the older versions, an authorized user in openemr can look the same as a authorized user in php-gacl; you could also get away with not having the user in php-gacl. This is no longer case in 3.0+, which is why you may not be able to log in as admin)

Let me know if still having problems when follow this strict protocol. If you are, would be interesting to confirm that your openemr database does indeed have the gacl tables in it with the gacl_ prefix. There is a way to "break" into gacl if don’t have access by temporarily modifying source code in the gacl, but only rare users whom are installing new gacl tables without an ‘admin’ need to do this.

-brady

penguin8r wrote on Monday, September 21, 2009:

That’s pretty much what I did, but I may have to set the authorized flag on the admin user in OpenEMR before running the upgrade to ensure being able to log back in?  I did check the openemr db in mysql & confirm that the gacl_ tables were present when I was trying to upgrade last time.  Will try it again this evening & let you know if it works.
Thanks BTW for putting up the php db hack & such, makes life a lot easier for us tech support grunts!

bradymiller wrote on Monday, September 21, 2009:

hey,

Definitely try it again with strict adherence to above steps. If still doesn’t work, then can login into php-gacl directly by simply removing the acl checks at top of the pertinent gacl pages to do more debugging. We shouldn’t need to go there, though.

-brady

penguin8r wrote on Thursday, September 24, 2009:

Brady,
   I tried it again, twice, following exact instructions above, verified that the gacl_xxxx tables were present in Openemr database.  Same results, totally locked out of the system.  I did check to make sure that there is an ‘admin’ user present in the old php-gacl setup.  Still stuck on 2.9.0, what is there left that I can try?  Is there an established way to do a fresh install of v3.1.0 & then import my databases & document files from the old system?

bradymiller wrote on Thursday, September 24, 2009:

hey,

I’m actually thinking this is not even a php-gacl issue; confirm this by  trying the following two things in the openemr/library/acl.inc file:

-uncomment the unset($phpgacl_location); line. This actually will turn off php-gacl entirely, so if not able to login then something else going on. Try the admin user and any other users you have passwords for.

-If above didn’t work, then uncomment out the above line and the on line 23 try to set the $phpgacl_location = to path of your previous php-gacl. Then again try to login as admin and any other users you have passwords for.

I am guessing that none of above will work for admin (but maybe it will work for another user; then would be interesting looking at the discrepancies in the user table for these users).

As I think about this I realize that a bug fix has happened since 3.0+, which does not allow a user to login if not checked off as ‘active’ in the user admin. In pre-3.0 unchecking this did nothing. Check to ensure the admin is checked as active in your pre-3.0 versions before upgrade.

Let me know how above goes.

If still not working, then can break into embedded php-gacl to debug, but again, if it doesn’t work even after turning off php-gacl above, I doubt this is the issue.

-brady

penguin8r wrote on Thursday, October 01, 2009:

Brady,
   Sorry it took awhile for me to copy the system & databases back to a temp server for testing.  After following the above upgrade instructions exactly, trying all your above suggestions resulted in the same behavior each time, admin cannot login, other users can login without problems.  I did make sure that the ‘admin’ user was marked active in OpenEMR 2.9.0 before running the upgrade procedure.
Where should I go from here?  I have looked at the gacl tables in the database, admin is there, don’t see any corruption, & the working system doesn’t have any issues with logins.  Is there some way for me to recreate the admin user from scratch or do I create a new administrative user & just forget about the original admin?

bradymiller wrote on Friday, October 02, 2009:

hey,

I’m guessing somethings up with your admin row in the ‘users’ table in mysql. Compare it to other users and let me know of differences (don’t paste your password here, of course); I’m highly suspicious that the ‘active’ column does not contain a ‘1’.  Also a good idea to ensure database not corrupted via mysqlcheck.

-brady

penguin8r wrote on Friday, October 02, 2009:

Brady,
   Thanks again for all your help.  I made another snapshot last night & re-ran the upgrade today, now I found a way to make it work.  What I have to do is run an upgrade from 2.9.0 to 3.0.1 first, & edit the gacl.ini.php & gacl.class.php files to get the gacl change & upgrade to work.  Then run an upgrade from 3.0.1 to 3.1.0 to finish the process, & everything seems to be working properly.  I did check that the Admin user was ‘Active’, & I ran a mysqlcheck on the database before starting the whole upgrade process.  I just wanted to throw this out there for anyone else doing an upgrade from 2.8 or 2.9, it might work better if you upgrade in small steps instead of one big jump.

bradymiller wrote on Saturday, October 03, 2009:

hey,

Great. Would be nice to isolate this problem. Hopefully just an isolated issue, but will watch out for it.

-brady

ideaman911 wrote on Tuesday, October 06, 2009:

Brady;

I would not be surprised if that is happening to a lot of people as they transition from the pre-2.9.1 versoins with GACL separate to the post GACL inclusive 3 series.  Perhaps we need to better emphasize that they MUST go through the two step process?

Joe Holzer    Idea Man
http://www.holzerent.com