Table of Contents
With Univention Corporate Server 4.4-4, the fourth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
UCS can now log when the last authentication on the LDAP server took place, for example when users logged on using the SAML identity provider. A use case could be the detection of accounts that are no longer in use.
The AD Connector can synchronize Kerberos hashes from AD and thus work without NTLM hashes.
The AD Connector now officially supports Windows Server 2019. The synchronization of changes to large groups has been accelerated by transferring only changes (new / removed members) and not always the complete list of current group members. In the context of group synchronization a memory leak has also been fixed.
User guidance has been improved in the App Center: The number of steps required for installing apps is now displayed, the different message types appear in a clearer, uniform look and feel and have been partially combined onto a single page.
The SAML login to the portal and apps has more configuration options, including the various links (“How to log in”, “Login without SSO”) can be customized. A new feature is a configurable link to the “Forgot password” function of the Self Service.
Various security updates have been integrated into UCS 4.4-4, e.g. Samba, the Linux kernel and PHP. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-3:
admin/diary/query/limit (Bug 50531).
dh_python2 instead of python-support (Bug 49169).
All security updates issued for UCS 4.4-3 are included:
The following updated packages from Debian Stretch 9.12 are included (Bug 50959): base-files, freetype, glib2.0, libdatetime-timezone-perl, libperl4-corelibs-perl, libtimedate-perl, linux-latest, perl, postfix, python-cryptography, tzdata, xml-security-c, cacti, cargo, davical, debian-edu-config, debian-installer, debian-installer-netboot-images, debian-lan-config, debian-security-support, dehydrated, dispmua, dpdk, evince, fence-agents, fig2dev, flightcrew, freeimage, gdb-arm-none-eabi, gnustep-base, graphicsmagick, italc, ldm, libdate-holidays-de-perl, libjaxen-java, libofx, libole-storage-lite-perl, libparse-win32registry-perl, libpst, libsixel, libsolv, libtest-mocktime-perl, libxmlrpc3-java, limnoria, llvm-toolchain-7, mediawiki, monit, netty, network-manager-ssh, node-fstream, node-mixin-deep, nodejs-mozilla, nvidia-graphics-drivers-legacy-340xx, nyancat, openconnect, opensmtpd, php-horde, prosody-modules, python-acme, python-flask-rdf, python-pgmagick, ros-ros-comm, ruby-encryptor, rust-cbindgen, rustc, safe-rm, sorl-thumbnail, sssd, thunderbird, tigervnc, tmpreaper, tomcat-native, tomcat8, ublock-origin, unhide, x2goclient, xen
The following packages have been moved to the maintained repository of UCS: authres (Bug 50777), dns-root-data (Bug 50777), libopendbx (Bug 50777), opendkim (Bug 50777), py3dns (Bug 50777), pypolicyd-spf (Bug 50777), pyspf (Bug 50777), sendmail (Bug 50777)
k5pwd used the default Kerberos salt to check the password during simple-bind.
We now use the correct salt, found in the k5key itself (Bug 50492).
slapo-lastbind can now be activated via the Univention Configuration Registry variable ldap/overlay/lastbind which when activated stores the timestamp of an successful bind to an LDAP server.
The script /usr/share/univention-ldap/univention_lastbind.py can be used to store the youngest of these timestamps, from all reachable LDAP servers, into the extended attribute lastbind of a specified user (Bug 49700).
ucs/server/languages/ (Bug 47845).
http(s)://FQDN/univention/udm/schema/ or http(s)://FQDN/univention/udm/openapi.json authentication is now required by default.
ucr set directory/manager/rest/require-auth=no can be used to disable this.
After setting this Univention Configuration Registry variable the univention-directory-manager-rest service needs to be restarted (Bug 50732).
umc/login/links/how_do_i_login/.* (Bug 50609).
env file support in docker compose apps (Bug 50898).
pg_hba configuration for docker compose networks (Bug 50858).
None when using univention-app reinitialize (Bug 50718).
univention-app dev-test-setup has been added that installs components needed to run Selenium based app tests (Bug 50592).
udm_extension has been migrated to dh_python.
All existing UDM extensions are migrated during the package upgrade (Bug 50401).
20univention-join.inst to create new host certificates has been fixed, which led to directories getting the wrong file permissions (Bug 49036).
60_old_schema_registration.py:
It searches for a defined set of LDAP schema files and offers to register them properly if they were added to the system using an outdated installation mechanism (Bug 50889).
ldap/server/name points to the master domain controller on member servers (Bug 50191).
memberOf is activated has been added (Bug 50599).
slapo-lastbind can now be activated via the Univention Configuration Registry variable ldap/overlay/lastbind which when activated stores the time-stamp of a successful bind to an LDAP server.
The script /usr/share/univention-ldap/univention_lastbind.py can be used to store the youngest of these timestamps, from all reachable LDAP servers, into the extended attribute lastbind of a specified user (Bug 49700).
slapd now looks for running process only below parent PID 1 specifically.
This allows running other slapd processes in containers (Bug 50616).
ldap-group-to-file used to run against the master domain controller by default.
We randomize the LDAP server selection now to distribute the load (Bug 50191).
saml/serviceprovider has been implemented.
Its value determines whether to sign logout messages sent to this service provider.
Its default value is True (Bug 49305).
umc/login/links/login_without_sso/.* (Bug 50610).
saml/idp/password-change-url (Bug 50594).
umc/login/links/forgot_your_password/.* (Bug 50608).
ucs_registerLDAPExtension.
This prevents errors when a backup domain controller is promoted to be the new master domain controller (Bug 50607).
/etc/postgrey/whitelist_clients.local and /etc/postgrey/whitelist_recipients.local are not included in the Postgrey configuration, even though the corresponding Univention Configuration Registry variable should force this.
The creation of the .local files and the update of the Postgrey configuration has been rearranged to fix this problem (Bug 50647).
/var/log/univention/radius_ntlm_auth.log an automatic logrotate functionality has been added to prevent over-sized logfiles on heavy duty RADIUS servers (Bug 50545).
gencertificate.py to create new host certificates has been fixed, which led to directories getting the wrong file permissions (Bug 49036).
dhcpd/ldap/debug has been added for debugging the configuration from LDAP.
If activated, it creates a log file named /var/log/dhcp-ldap-startup.log (Bug 49281).
dhcpd/options/ (Bug 46805).
check_univention_ad_connector by adapting to the new process name introduced in UCS 4.4-4 erratum 390 from Bug 49168 (Bug 50676).
connector/ad/mapping/user/password/kerberos/enabled=true.
If this variable is not set the hashes will not be synchronized (Bug 50492).
prepare-new-instance.
This fixes the feature to synchronize several Active Directory domains with one UCS directory service (Bug 50713).
connector/ad/mapping/user/ignorefilter to an LDAP filter.
Every user matched by this LDAP filter will be ignored by the connector (Bug 50674).