docs: add password reset guide for v5.x+ web UI lockout

[mrjacobarussell]

Summary

Adds PASSWORD_RESET.md documenting how to recover admin access when locked out of the Omada web UI on v5.x+.

Problem with existing instructions: Standard reset docs targeting db.user with SHA-1 fail on v5.x+. Modern versions store credentials in db.iam_user using Apache Shiro SHA-256, and the username field is Base64-encrypted.

What this adds:

• How to download the legacy mongosh 1.10.6 binary (required — modern mongosh v2.x+ is rejected by the bundled MongoDB engine)
• Correct collection to target (iam_user not user)
• Working Shiro SHA-256 recovery hash
• Step-by-step verified procedure

Tested on: Omada 5.15.24.19 via mbentley/omada-controller on Unraid (2026-06-06)

Test plan

• Verified on locked-out Omada 5.15.24.19 instance — recovery login succeeded
• Password changed immediately after recovery

[mbentley]

Just looking for some more details and understanding on if this has been tested to work on 6.x as well since there is a big MongoDB version jump between the 5.x and 6.x versions.

[mbentley]

Just curious, what "standard instructions" are you referring to here? If an official TP-Link doc/KB, it would be ideal to link to it for reference.

[mbentley]

Given that we have two different versions of MongoDB between the 5.x and 6.x versions, we should make sure we are very clear about what version works with what. I am not currently in a spot where I can test to see if this works for both the 5.x and 6.x versions but I see that your instructions call out 5.x+. I just would like to make sure that it actually does indeed work for 6.x as well and call out that compatibility if it works or not.