Bug 51359 – Send an Email when Password is Changed

Bug 51359 - Send an Email when Password is Changed


Summary:	Send an Email when Password is Changed

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - User settings
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-26 13:41 CEST by Christian Völker
Modified:	2021-05-03 15:24 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020052521000199
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christian Völker

2020-05-26 13:41:58 CEST

For auditing reasons a customer like to have an email send when a user changes his password through UMC.
As email destination the user's assigned email should be used.

Comment 1 Daniel Tröder

2020-05-26 19:16:04 CEST

Sounds like a very special requirement.
A simple listener could be written for the customer.
The LDAP attributes that have to be observed for changes are:
* krb5Key
* krb5KeyVersionNumber
* sambaPwdLastSet
* sambaNTPassword
* userPassword

A more general approach -  that may be interesting for more customers - would be a listener that sends emails for registered addresses for certain attributes.

The email addresses can be more flexible if the following is done:
* if it contains an '@', send to that email address
* if no '@', it must be a username → send to that users mailPrimaryAddress

The observed 'attributes' should be UDM properties, as those names are better known and are kind of the public UCS API. The registry could be done through UCR like this:

auditing/<UDM-module-pattern>/property/<property-name>=email1,email2,...

Example:

auditing/users/user/property/birthday=me@example.com,you@example.com
auditing/users/user/property/password=Administrator
auditing/groups/group/property/users=Administrator
auditing/groups/group/property/ALL=auditor@@example.com
auditing/computers/*/ip=Administrator

The special property 'ALL' means "send email on all changes".

The email should contain a diff of all changed properties.
The new listener API has a method for this.

The mapping UDM property <-> LDAP attribute is in the UDM modules.

After changing the UCRVs the listener must be restarted, as its LDAP-filter has to be created from the UCRVs:
It should be sufficient to get all '(objectClass=...)' filter parts from the UDM modules in <UDM-module-pattern> and OR them.
Then in the handler() function check the concrete UDM module for the current object by comparing the <UDM-module-pattern> to the value in 'univentionObjectType'.

=====================================================================0

A completely alternatively approach would be to improve the "Admin Diary".
The information to log could be made configurable in a similar manner, and as an action additional to logging 'send email' could be added.