Bug 51359 - Send an Email when Password is Changed
Send an Email when Password is Changed
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC - User settings
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-26 13:41 CEST by Christian Völker
Modified: 2020-05-26 19:16 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020052521000199
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2020-05-26 13:41:58 CEST
For auditing reasons a customer like to have an email send when a user changes his password through UMC.
As email destination the user's assigned email should be used.
Comment 1 Daniel Tröder univentionstaff 2020-05-26 19:16:04 CEST
Sounds like a very special requirement.
A simple listener could be written for the customer.
The LDAP attributes that have to be observed for changes are:
* krb5Key
* krb5KeyVersionNumber
* sambaPwdLastSet
* sambaNTPassword
* userPassword

A more general approach -  that may be interesting for more customers - would be a listener that sends emails for registered addresses for certain attributes.

The email addresses can be more flexible if the following is done:
* if it contains an '@', send to that email address
* if no '@', it must be a username → send to that users mailPrimaryAddress

The observed 'attributes' should be UDM properties, as those names are better known and are kind of the public UCS API. The registry could be done through UCR like this:

auditing/<UDM-module-pattern>/property/<property-name>=email1,email2,...

Example:

auditing/users/user/property/birthday=me@example.com,you@example.com
auditing/users/user/property/password=Administrator
auditing/groups/group/property/users=Administrator
auditing/groups/group/property/ALL=auditor@@example.com
auditing/computers/*/ip=Administrator

The special property 'ALL' means "send email on all changes".

The email should contain a diff of all changed properties.
The new listener API has a method for this.

The mapping UDM property <-> LDAP attribute is in the UDM modules.

After changing the UCRVs the listener must be restarted, as its LDAP-filter has to be created from the UCRVs:
It should be sufficient to get all '(objectClass=...)' filter parts from the UDM modules in <UDM-module-pattern> and OR them.
Then in the handler() function check the concrete UDM module for the current object by comparing the <UDM-module-pattern> to the value in 'univentionObjectType'.

=====================================================================0

A completely alternatively approach would be to improve the "Admin Diary".
The information to log could be made configurable in a similar manner, and as an action additional to logging 'send email' could be added.