Table of Contents
With Univention Corporate Server 4.3-3, the third point release of Univention Corporate Server (UCS) 4.3 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
The configuration options for the UCS portal have been extended to better adapt it to your own needs. It is now possible to define custom categories for tiles. There also is the possibility to define static links, e.g. to link an imprint.
The new UCS Dashboard App allows administrators to quickly and easily view the state of the domain or individual servers on different dashboards.
In addition to minor bug fixes in Univention Management Console the scrolling behavior has been improved in many places.
The introduction of a new simplified Python API reduces the development effort for developers to access the UCS Identity Management.
Various security updates have been integrated into UCS 4.3-3, e.g. Apache2, the Linux kernel and Samba4. UCS 4.3-3 is based on the Debian release 9.6 released in November. A complete list is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 37
Firefox as of version 38
Internet Explorer as of version 11
Safari and Safari Mobile as of version 9
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.3-2:
All security updates issued for UCS 4.3-3 are included:
The following updated packages from Debian 9.6 are included (Bug 48278): accerciser, base-files, brltty, canna, cargo, chromium-browser, confuse, debian-installer, debian-installer-netboot-images, discount, dnsmasq, dom4j, dpdk, dropbear, drupal7, easytag, enigmail, espeakup, fastforward, firetray, fuse, ganeti, globus-gsi-credential, gnupg2, gphoto2-cffi, graphicsmagick, grub2, hdparm, https-everywhere, i3-wm, icecast2, iipimage, jhead, kamailio, lastpass-cli, ldap2zone, libcgroup, libclamunrar, libdap, libdatetime-timezone-perl, libextractor, libmail-deliverystatus-bounceparser-perl, libseccomp, libxml-stream-perl, libxml-structured-perl, lxcfs, mailman, mbedtls, mediawiki, mgetty, moin, mosquitto, multipath-tools, mupdf, nagstamon, network-manager-applet, nginx, ola, openafs, opensc, otrs2, pkgsel, publicsuffix, python-django, python-imaplib2, roundcube, ruby-json-jwt, rustc, sddm, serf, soundconverter, spice-gtk, sqlcipher, strongswan, subversion, sympa, systraq, thunderbird, tinc, tomcat-native, tor, trafficserver, tzdata, ublock-origin, vagrant, vmtk, x11vnc, xapian-core, xmotd, xorg-server, zutils
The following packages have been moved to the maintained repository of UCS: backports.ssl-match-hostname (Bug 43612), cached-property (Bug 43612), docker-compose (Bug 43612), dockerpty (Bug 43612), docopt (Bug 43612), lazy-object-proxy (Bug 48086), libconfig-inifiles-perl (Bug 48201), libhx (Bug 47933), libresample (Bug 48007), python-bsddb3 (Bug 47933), python-docker (Bug 43612), python-functools32 (Bug 43612), python-jsonschema (Bug 43612), python-ruamel.ordereddict (Bug 43612), python-typing (Bug 43612), ruamel.yaml (Bug 43612), texttable (Bug 43612), websocket-client (Bug 43612), wimlib (Bug 47994)
univention-directory-listener-ctrl (Bug 47870).
server/role and ldap/master are not set (Bug 47837).
AttributeHook.
This can be used to implement a mapping between LDAP and UDM for extended attributes (Bug 43129).
admin is now allowed (Bug 38092).
settings/data was added.
It can be used to store arbitrary data in LDAP (Bug 47944).
mailinglist_name in running Python processes (Bug 48020).
syntax.py (Bug 48026).
alphanum option (Bug 47580).
univentionObjectType although they should have one.
The plugin also allows to migrate those objects.
Having a univentionObjectType allows for other services to use a convenient LDAP filter (Bug 47844).
usrjquota) quota as well (Bug 47764).
users/self module regarding saving unset properties with default values has been addressed (Bug 48047).
alphanum option (Bug 47580).
umc_init does not assume to find the LDAP group objects cn=Domain Admins and cn=Domain Users as direct children of the cn=groups container anymore.
Instead it searches for them (or their localized equivalents, like Domänen-Admins) (Bug 38057).
slapschema during registration of new schemas for errors (Bug 45571).
settings/data was added.
It can be used to store arbitrary data in LDAP (Bug 47944).
ldap/debug/level has been fixed (Bug 48102).
ldap/database/mdb/envflags (Bug 47869).
univention-updater now logs a more useful error message (Bug 34444).
pg_hba.conf to always grant access to that internal user.
This is required for automatic maintenance and similar tasks (Bug 31081).
postgres9/pg_hba/config/* allows for additional configuration options in the file pg_hba.conf (Bug 47276).
ifconfig was missing in the UCS container.
Also fixed parsing of the tool's output (Bug 46665).
stunnel to run on systems without univention-saml installed, like member server and slave domain controller servers.
The univention-saml package was updated to create the required directories (Bug 47250).
clamav-daemon is disabled via Univention Configuration Registry variable clamav/daemon/autostart=no.
Without this change Postfix is unable to process incoming mails due to a non-working AMaViS (Bug 39372).
mail/dovecot/sieve/client/server can now be used to specify an external FQDN for the Sieve script upload that matches the external SSL certificate (Bug 41018).
proxy.conf to allow RADIUS authentication with DOMAIN\USERNAME.
The original proxy.conf is diverted to proxy.conf.debian and is included into the new proxy.conf (Bug 42535).
ldap has been activated manually (Bug 48105).
univention-certificate renew does not revoke the old certificates anymore, so that they are still valid until they expire.
Additionally, certificates can now get addressed by their serial numbers using the option -id (Bug 41013).
uvmm/vm/cpu/host-model to either missing or always:
This modifies the XML description to include a description for the CPU of the host system for running virtual machines.
If a CPU description is present, UVMM will check the target host for compatibility.
The migration is aborted if the target host's CPU is not compatible.
Virtual machines must be restarted to activate pending changes.
UVMM monitors running virtual machines for reboot events and restarts them automatically (Bug 21386).
map acl inherit = yes for samba shares if NT ACLs and inherit ACLs are activated (Bug 47850).
netlogon_creds_cli.tdb in univention-samba4-backup (Bug 46468).
samba-tool dbcheck was unable to fix this automatically (Bug 48054).
samba-tool dbcheck --fix even if a modification failed (Bug 48040).
CN=Configuration gets replicated before the main domain partition.
As a result DRS replication could fail (Bug 47441).
sync_to_ucs reject for DNS Start of Authority (SOA) records with trailing dot missing in the Name Server (NS) resource record (Bug 44104).
connector/s4/mapping/dns/ignorelist was unset or empty (Bug 44711).
ucs_module_others if defined in the mapping (Bug 47779).
0 when synchronizing changes back from Samba/AD to UDM/OpenLDAP.
In an UCS@school specific UMC module this caused a display issue, where the next required password change was shown as never (Bug 47508, Bug 47595).
connector/ad/mapping/sync/userPrincipalName and restart the AD-Connector to sync username to userPrincipalName on subsequent object modifications (Bug 48153).
univention-adsearch now accepts space separated attribute list as parameter (Bug 43189).
univention-adsearch are printed base64 encoded (Bug 48082).
cn=Subschema object caused AD-Connector rejects (Bug 47396).
Domain Admin account is configured for the AD connection (Bug 47069).
connector/ldap/server set to a non-master server with read-only OpenLDAP (Bug 44024).
univention-adsearch now also uses the file containing the full certificate chain instead of only the exported AD certificate alone (Bug 47858).
server/password/cron (Bug 47781).