Univention Bugzilla – Bug 51359
Send an Email when Password is Changed
Last modified: 2021-05-03 15:24:41 CEST
For auditing reasons a customer like to have an email send when a user changes his password through UMC. As email destination the user's assigned email should be used.
Sounds like a very special requirement. A simple listener could be written for the customer. The LDAP attributes that have to be observed for changes are: * krb5Key * krb5KeyVersionNumber * sambaPwdLastSet * sambaNTPassword * userPassword A more general approach - that may be interesting for more customers - would be a listener that sends emails for registered addresses for certain attributes. The email addresses can be more flexible if the following is done: * if it contains an '@', send to that email address * if no '@', it must be a username → send to that users mailPrimaryAddress The observed 'attributes' should be UDM properties, as those names are better known and are kind of the public UCS API. The registry could be done through UCR like this: auditing/<UDM-module-pattern>/property/<property-name>=email1,email2,... Example: auditing/users/user/property/birthday=me@example.com,you@example.com auditing/users/user/property/password=Administrator auditing/groups/group/property/users=Administrator auditing/groups/group/property/ALL=auditor@@example.com auditing/computers/*/ip=Administrator The special property 'ALL' means "send email on all changes". The email should contain a diff of all changed properties. The new listener API has a method for this. The mapping UDM property <-> LDAP attribute is in the UDM modules. After changing the UCRVs the listener must be restarted, as its LDAP-filter has to be created from the UCRVs: It should be sufficient to get all '(objectClass=...)' filter parts from the UDM modules in <UDM-module-pattern> and OR them. Then in the handler() function check the concrete UDM module for the current object by comparing the <UDM-module-pattern> to the value in 'univentionObjectType'. =====================================================================0 A completely alternatively approach would be to improve the "Admin Diary". The information to log could be made configurable in a similar manner, and as an action additional to logging 'send email' could be added.