In Nubus for K8s, the "password reset" function runs into a ratelimit on the UMC selfservice endpoints: 1. User requests a password-reset through the frontend. This aspect is rate-limited, which is correct, as it is unauthenticated. The rate-limit is per IP. 2. The UMC places a password-reset request in a NATS queue for the self-service consumer. 3. The self-service consumer processes the password-reset requests one-by-one. Each time it calls an endpoint on the UMC, which sends the actual email. This endpoint is rate-limited as well. Large customers, which set up their environment initially, which can easily lead to thousands of emails which need to be sent. As the self-service consumer calls the UMC always from the same IP, it will trigger the rate-limit and the customer onboarding process gets stuck. Workaround: - Restart the memcached pod. This will clear the rate-limit cache and allow continuing for another couple of requests. After the initial onboarding spike, the rates should be much lower and the system becomes unstuck. - Reconfigure UCR variables which control the rate-limit. This is not advised as it will also affect other self-service functionality which needs a rate-limit to protect against brute-force attacks.
Change the bug to UCS, so we use this bug to release the patch to the selfservice
Successful build Package: univention-self-service Version: 7.1.2 Branch: 5.2-0 Scope: errata5.2-1 User: jtorres Host: ladda
Test Successful build Package: ucs-test Version: 12.1.17 Branch: 5.2-0 Scope: errata5.2-1 User: jtorres Host: ladda
Code review: OK YAML: OK Documentation: OK Test: ~OK: SKIPPED, but manually run and it works K8s: SKIPPED, only tested UCS
<https://errata.software-univention.de/#/?erratum=5.2x116>