Table of Contents
With Univention Corporate Server 4.2-4, the fourth point release of Univention Corporate Server (UCS) 4.2 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. An overview of the most important changes are:
Support for creating subfolders in shared folders was added to the Dovecot integration.
The package univention-ldap-overlay-memberof is now automatically installed during the system configuration of backup domain controller and slave domain controller systems if the memberOf overlay module is enabled on the master domain controller.
Individual changes to the Postfix configuration can now be added to the files main.cf.local and master.cf.local.
A confirmation dialog has been added which is shown after a user changed their password at the self-service module.
A new API for programming of Univention Directory Listener modules was added.
Various security updates have been integrated into UCS 4.2-4, e.g. OpenLDAP, the Linux kernel, Samba, MySQL and PostgreSQL. A complete list is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 1 GB of disk space for download and installation all packages.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9
Users with older browsers may experience display or performance issues.
Listed are the changes since UCS 4.2-3:
When Univention System Setup detects that the LDAP overlay module memberOf is activated on the master domain controller the package univention-ldap-overlay-memberof is automatically installed (Bug 46091).
All security updates issued for UCS 4.2-3 are included:
The following updated packages from Debian Jessie 8.10 are included (Bug 46967): activemq, apf-firewall, apt-cacher, apt-xapian-index, atril, audiofile, awstats, bareos, bashburn, bchunk, binutils, bitlbee, boinc, botan1.10, bouncycastle, bzr, cfitsio, chkrootkit, chromium-browser, commons-daemon, connman, courier-filter-perl, cqrlog, cups, cvs, debconf, debian-archive-keyring, debian-edu-doc, debian-history, debian-installer-netboot-images, debian-installer, debian-security-support, debmirror, debootstrap, deluge, dns-root-data, dput, dropbear, drupal7, dwww, elog, enigmail, eterm, ettercap, evince, fontforge, fop, foremost, foxyproxy, freeplane, freexl, gajim, galternatives, gifsicle, gimp, git-annex, gitolite3, gnats, gnome-media, gnome-screenshot, gnome-settings-daemon, groovy2, groovy, gsoap, gst-plugins-ugly1.0, gtk+2.0, guile-2.0, gunicorn, hexchat, hunspell-en-us, icedove, icedove, icoutils, initramfs-tools, init-select, installation-guide, irqbalance, irssi, jackrabbit, jackson-databind, jhead, jython, kamailio, kedpm, keyringer, knot, konversation, kup, ldap-account-manager, libapache2-mod-perl2, libcgi-application-plugin-anytemplate-perl, libclamunrar, libdata-faker-perl, libdatetime-timezone-perl, libdbi, libdvdnav, libembperl-perl, libhtml-microformats-perl, libhttp-proxy-perl, libidn2-0, libindicate, libio-socket-ssl-perl, liblouis, libmateweather, libofx, libosinfo, libosip2, libpam4j, libsdl2-image, libspring-ldap-java, libsys-syscall-perl, libterralib, libvorbisidec, libwmf, libwnckmm, libx11-protocol-other-perl, libxstream-java, libytnef, linux-latest, logback, lucene-solr, lxc, lxterminal, mailman, mariadb-10.0, mercurial, metar, minicom, mobile-broadband-provider-info, modsecurity-crs, mongodb, mosquitto, most, mupdf, mysql-connector-java, ndisc6, ndoutils, netcfg, newsbeuter, nginx, nostalgy, nvidia-graphics-drivers-legacy-304xx, nvidia-graphics-drivers, nvidia-graphics-modules, offlineimap, openchange, openjpeg2, openmpi, openocd, openoffice.org-dictionaries, opensaml2, openssh, optipng, os-prober, otrs2, partman-ext3, pdns, pdns-recursor, php-radius, pidgin, plexus-utils2, plexus-utils, plv8, poco, polarssl, puppet, python-colorlog, python-django, python-gnupg, python-plumbum, python-tablib, quagga, quassel, radare2, r-base, readline5, request-tracker4, rkhunter, rt-authen-externalauth, ruby-omniauth, ruby-ox, sage-extension, sam2p, sendmail, sharutils, shibboleth-sp2, shutter, sieve-extension, sitesummary, slurm-llnl, smb4k, smemstat, spip, squirrelmail, strongswan, supervisor, sus, synergy, syslinux, tabix, tcpdf, thunderbird, tnef, tomcat6, tomcat7, tomcat8, tomcat-native, tor, transfig, transmission, transmissionrpc, tryton-server, tzdata, unbound, uwsgi, uzbek-wordlist, webissues-server, weechat, wordpress, wordpress-shibboleth, xarchiver, xen, xfce4-weather-plugin, xmltooling, xmobar, yara, zabbix, zookeeper
systemctl from reporting a wrong status for the univention-directory-listener service, the runsv timeout has been increased to 30 seconds (Bug 46313).
systemctl from reporting a wrong status for the univention-directory-notifier service, the runsv timeout has been increased to 30 seconds (Bug 46312).
umc/http/show_tracebacks to false (Bug 45395).
pkgdb Univention Management Console module (Bug 44173).
umc/http/show_tracebacks to false (Bug 45395).
/etc/machine.secret in App containers have been fixed (Bug 46835).
univention-upgrade non-interactively may have caused an error while upgrading Apps when run on a master domain controller (Bug 46703).
LDAP_HOSTDN (Bug 46223).
ad/reset/username and ad/reset/password need to be set (Bug 44867).
postscreen has been integrated and can be configured via the Univention Configuration Registry variables prefixed by mail/postfix/postscreen/.
The service performs lightweight checks on incoming SMTP connections to reject e.g. spam early (Bug 45607).
mail/postfix/policy/listfilter/use_sasl_username was set to yes, the listfilter policy service rejected all mail unexpectedly.
The listfilter policy service has been fixed and now handles Cyrus SASL authentication correctly (Bug 45422).
main.cf.local and master.cf.local will now be appended to /etc/postfix/main.cf and /etc/postfix/master.cf respectively.
After editing the *.local files, ucr commit /etc/postfix/*.cf must be called (Bug 44922).
listfilter policy service can now write debugging information to the mail log, when the Univention Configuration Registry variable mail/postfix/policy/listfilter/debug is set to yes (Bug 44473).
ldap/database/mdb/maxsize).
If the maximum size is reached, write requests are no longer possible.
The new plugin checks the effective size of the database and returns a warning if 75%, or critical if 90% are in use.
The plugin is activated for all domain controllers upon the installation of the Nagios packages.
For updates, the plugin has to be activated manually.
This can be done by executing the following commands on the Nagios server and the client.
univention-run-join-scripts --force --run-scripts 26univention-nagios-common.inst 30univention-nagios-client.inst
(Bug 45685).
connector-tracebacks.log is not written any longer (Bug 38140).