I wonder if it would be possible/feasible to attack this from a different angle. It looks like Neth always uses LDAP, in one form or another, for authentication. If that’s the case, why can’t updating the password through LDAP work? That would let us use the built-in password change mechanisms in those apps that have them (Roundcube, Nextcloud, etc.), and wouldn’t require exposing a web service running as root to the world.
This wouldn’t work for SME, as it uses a mishmash of authentication providers, and requires the e-smith events to keep them all in sync. But Neth appears to have moved in the direction of running everything through a single auth provider, and in that case, there’s nothing else that needs to be kept in sync. Or am I misunderstanding how this part of Neth works?