Univention Bugzilla – Bug 56871
UMC set/password depends on Kerberos, which is not available in openDesk
Last modified: 2023-11-24 13:54:42 CET
The set/password endpoint of the UMC is used e.g. in the portal to allow users to change their own passwords. This is currently implemented using PAM's `chauthtok` function, which is configured in the appliance to use pam_krb5. This verifies the old password and calls the Samba/Kerberos server. The patched server then calls UDM to execute the actual change. In the containerized environment (UMS/openDesk) it is not foreseen to deliver a Kerberos server, therefore this password change method does not work. We have mitigated this for now by patching UMC to - verify the old password via PAM, - and perform the password change directly with UDM, to avoid the Kerberos roundtrip. In the interest of maintainability, it would be beneficial to have this functionality upstream in the UMC codebase. In whatever way this is implemented, a(n optional) codepath which does not use Kerberos is necessary.
Created attachment 11151 [details] set_password_without_kerberos.patch Current workaround in `container-umc`.
UCS Merge request: https://git.knut.univention.de/univention/ucs/-/merge_requests/972 Original downstream issue: https://git.knut.univention.de/univention/customers/dataport/team-souvap/-/issues/311