UCS 4.4 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.4-5


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Update auf UCS 4.4-5 schlägt fehl mit Verification error: Invalid signature: gpgv: keyblock resource ‘/etc/apt/trusted.gpg’: Datei oder Verzeichnis nicht gefunden
2.2. Empfohlene Update-Reihenfolge
2.3. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken
5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.3. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Univention Configuration Registry
6.2.1.1. Changes to templates and modules
6.3. Domain services
6.3.1. OpenLDAP
6.3.1.1. Listener/Notifier domain replication
6.3.2. DNS server
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Portal
6.4.3. Univention Management Console server
6.4.4. Univention App Center
6.4.5. Univention Directory Manager UMC modules and command line interface
6.4.6. Modules for system settings / setup wizard
6.4.7. Domain join module
6.4.8. Univention Directory Reports
6.4.9. License module
6.4.10. System diagnostic module
6.4.11. Filesystem quota module
6.4.12. Other modules
6.4.13. Development of modules for Univention Management Console
6.5. Univention base libraries
6.6. Software deployment
6.6.1. Software monitor
6.7. System services
6.7.1. PostgreSQL
6.7.2. MySQL and MariaDB
6.7.3. Docker
6.7.4. SAML
6.7.5. Univention self service
6.7.6. Mail services
6.7.7. Dovecot
6.7.8. Postfix
6.7.9. Spam/virus detection and countermeasures
6.7.10. Printing services
6.7.11. Nagios
6.7.12. Apache
6.7.13. RADIUS
6.7.14. Proxy services
6.7.15. Kerberos
6.7.16. SSL
6.7.17. DHCP server
6.7.18. PAM / Local group cache
6.7.19. NFS
6.7.20. Other services
6.8. Desktop
6.9. Virtualization
6.9.1. UCS Virtual Machine Manager (UVMM)
6.9.2. Operate UCS as virtual machine
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention S4 Connector
6.10.3. Univention Active Directory Connection
6.11. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.4-5 steht das fünfte Point-Release für Univention Corporate Server (UCS) 4.4 zur Verfügung. Es umfasst Funktionserweiterungen und Verbesserungen, neue Eigenschaften sowie diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Die Replikation von Gruppen mit vielen Mitgliedern wurde durch Performance Verbesserungen stark beschleunigt.

  • Die Berechtigung für die Nutzung von per SAML angebundenen Diensten kann jetzt für Gruppen konfiguriert werden, vorher konnte die Einstellung nur pro Benutzer gesetzt werden. Außerdem kann für per SAML angebundene Dienste nun in der UMC ein Mapping von UCS LDAP Attributnamen auf Attributnamen konfiguriert werden, die von der angebundenen Anwendung erwartet werden.

  • Ein Update für den OpenID Connect Provider ermöglicht, dass Anmeldungen am SAML Identity Provider auch für OpenID Connect gültig sind. Das Single Sign-On in UCS funktioniert damit über zwei Standards hinweg.

  • Der Benutzer Self-Service verfügt über ein neues aktivierbares Feature, mit dem sich Benutzer selbst ein Konto in UCS erstellen und auch wieder löschen können. Die Benutzeraccounts müssen vor der ersten Benutzung durch den Klick auf einen Aktivierungslink in einer E-Mail bestätigt werden. Administratoren können festlegen, welche Attribute Benutzer bei der Registrierung angeben müssen.

  • Diverse Security Updates wurden in UCS 4.4-5 integriert, bspw. für Samba, OpenLDAP, den Linux Kernel und PHP. Eine vollständige Liste von Security- und Paketupdates ist in Kapitel 6 zu finden.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Update auf UCS 4.4-5 schlägt fehl mit Verification error: Invalid signature: gpgv: keyblock resource ‘/etc/apt/trusted.gpg’: Datei oder Verzeichnis nicht gefunden

Anmerkung

Wenn das Update auf UCS 4.4-5 abbricht, sollte die Datei /var/log/univention/updater.log auf folgenden Fehler untersucht werden:

**** Downloading scripts at Thu Jun 25 11:34:04 2020
Error: Update aborted due to verification error:
Verification error: Invalid signature: gpgv: keyblock resource '/etc/apt/trusted.gpg': \
Datei oder Verzeichnis nicht gefunden

Wenn dieser Fehler in der Logdatei auftritt, müssen alle verfügbaren Errata Updates eingespielt werden. Anschließend kann das Update auf UCS 4.4-5 erneut gestartet werden. (Bug 51576)

Weitere Informationen sind in unserer Support Datenbank verfügbar.

§2.2. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.3. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 10 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 4 GB zusätzlichen Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

Univention bietet ein Skript an, mit dem Probleme, die das Update des UCS Systems verhindern würden, schon vor dem Update erkannt werden können. Dieses Skript kann vor dem Update manuell auf das System geladen und ausgeführt werden:

# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}

# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg pre-update-checks-4.4.gpg \
        pre-update-checks-4.4 && bash pre-update-checks-4.4

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.3. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 71

  • Firefox ab Version 60

  • Safari und Safari Mobile ab Version 12

  • Microsoft Edge ab Version 18

Der Internet Explorer wird ab diesem Release nicht mehr von Univention Management Console unterstützt.

Mit älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.4-4:

§6.1. General

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

  • Move univention.debhelper into a separate package to break a build dependency cycle (Bug 51374).
  • Fix Python 3 interfaces API to use ipaddress from the standard library instead of the legacy ipaddr module no longer available in Debian 10 Buster (Bug 51368).
  • The Python 3 compatibility has been improved (Bug 51156).
  • Python absolute imports are now used in univention.config_registy.interfaces for Python 3 compatibility (Bug 51021).

§6.2.1.1. Changes to templates and modules

  • The UCR templates of univention-base-files have been adapted to be python2 and python3 compatible (Bug 51006).

§6.3. Domain services

§6.3.1. OpenLDAP

§6.3.1.1. Listener/Notifier domain replication

  • To speed up replication of large LDAP objects, performance inhibiting code for logging will only be executed at the respective debug level (Bug 51236).
  • Due to a race condition, the memberOf attribute of user objects could have been incomplete on backup domain controller and slave domain controller systems. This problem has now been fixed. To get all user objects back in sync, the script /usr/share/univention-LDAP-overlay-memberof/univention-update-memberof should be called once on every UCS domaincontroller (Bug 46590).
  • Do incremental updates for attribute uniqueMember of groups: Changes trigger the slapd overlay module memberof, which then needs to update all users of the group. This is inefficient with MOD_REPLACE as the overlay then has to walk over all users instead of only the added/removed users. During the walk each user object is touched and triggers a sub-transaction in OpenDLAP. With slow disks this even can lead to TIMEOUT errors as the LDAP connection is closed after 5 minutes by default (Bug 48545).
  • Internal change: the UCR templates of are now python3 compatible (Bug 51093).
  • Fix exception logging in corner cases (Bug 51061).
  • Internal change: the UCR templates of univention-directory-notifier are now python3 compatible (Bug 51091).
  • Internal change: the UCR templates of univention-directory-listener are now python3 compatible (Bug 51087).

§6.3.2. DNS server

  • Added a warning to the description of the UCR variable dns/backend not to use "LDAP" on UCS domain controller systems running Samba4 (Bug 50501).
  • Internal change: the UCR templates of univention-bind are now python3 compatible (Bug 51102).
  • The start of the LDAP server has a timeout value to prevent deadlocks and allow monitoring solutions to log failed start attempts. That value was made configurable, because the necessary time depends on the number of domains. The variable is called dns/timeout-start (Bug 50662).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • Some preparations for future development have been made (Bug 51220).
  • It is now possible to navigate to an UMC module without the overview of all UMC modules and have only that UMC module open. This can be achieved for example with: https://fqdn/univention/management/?overview=no#module=top (Bug 51185).
  • The styling for menu entries has been slightly adjusted (Bug 51180).
  • The error messages in input fields were sometimes not immediately shown. This problem has been addressed (Bug 51067).
  • Internal change: the UCR templates of univention-directory-manager-rest are now python3 compatible (Bug 51090).
  • After an automatic password rotation, configurable via UCR variable server/password/interval, the UDM REST API refused to deliver an openapi.json file and disallows further logins (Bug 50708).

§6.4.2. Univention Portal

  • Internal change: the UCR templates of univention-server-overview are now python3 compatible (Bug 51100).
  • Users in the portal live edit mode are now able to see categories without any entries (Bug 50688).
  • The Apache template is now correctly updated when changing the UCR variable ucs/server/sso/fqdn (Bug 51211).
  • Internal change: the UCR templates of univention-portal are now python3 compatible (Bug 51099).

§6.4.3. Univention Management Console server

  • LDAP connections in the session shutdown handling and during retrieval of user favorite modules are now closed properly (Bug 51367).
  • LDAP connections in the PAM handling are now closed after the authentication was performed (Bug 51366).
  • The Univention Management Console webserver is now Python 3 compatible (Bug 51353).
  • The Univention Management Console server components are now Python 3 compatible (Bug 51235).
  • Some preparations for the upcoming "Univention Portal" app have been made (Bug 51226).
  • The Content-Security-Policy for Univention Management Console and its login dialog is now configurable via the umc/http/content-security-policy/.* and umc/login/content-security-policy/.* Univention Configuration Registry variables. The X-Frame-Options default header has been replaced with the Content-Security-Policy frame-ancestor setting (Bug 51211).
  • It is now possible to navigate to an UMC module without the overview of all UMC modules and have only that UMC module open. This can be achieved for example with: https://fqdn/univention/management/?overview=no#module=top (Bug 51185).
  • Users can now request the deletion of their account on the "Your profile" page of the Self Service. This feature can be activated via the umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
  • The meta.json now contains more variables for the self service pages (Bug 51001).
  • Internal change: the UCR templates of univention-management-console are now python3 compatible (Bug 51098).
  • The self service now has an option that allows anonymous users to create self registered accounts. The feature is disabled by default (Bug 51067).

§6.4.4. Univention App Center

  • The App Center now mounts /etc/apt/apt.conf.d/80proxy from the UCS host read-only to the container with the name /etc/apt/apt.conf.d/81proxy (Bug 51034).
  • Internal change: the UCR templates of univention-appcenter are now python3 compatible (Bug 51101).
  • Support for UDP ports in docker compose file has been added (Bug 51069).

§6.4.5. Univention Directory Manager UMC modules and command line interface

  • The Simple UDM API did not return an advanced list of DNs if the attribute was not set at all. It merely returned an empty list, which could lead to errors. This has been fixed (Bug 51184).
  • Internal improvement: Remove excessive log trace information from UDM modules method __getitem__() (Bug 51193).
  • SambaBadPasswordTime, the timestamp that is created when a user gets locked, can have a different time format than expected by udm when created by Samba3. This led to tracebacks in udm and rejects in the AD-Connector. Udm can handle this time format now (Bug 49697).
  • Internal change: the UCR templates of univention-directory-manager-modules are now python3 compatible (Bug 51089).
  • When initializing a module with a template, if the template has no options set, the defaults for the module options are kept instead of setting them all to true (Bug 51002).

§6.4.6. Modules for system settings / setup wizard

  • Proxy settings configured in Univention System Setup are now used for http and https connections. They are applied to the Univention Configuration Registry variables proxy/http and proxy/https. Previously, only proxy/http was used (Bug 50613).
  • During the setup use sha-512 for the root password (Bug 51195).
  • Some unused code has been removed (Bug 51185).
  • Internal change: the UCR templates of univention-system-setup are now python3 compatible (Bug 51025).

§6.4.7. Domain join module

  • The dependency on the Admin diary package has been moved to `Recommends` to make it optional. Otherwise there is a circular package dependency between univention-join and univention-admin-diary, which leads to undesired behavior (Bug 51374).
  • Internal change: the UCR templates of univention-join are now python3 compatible (Bug 51095).
  • Restart univention-directory-listener on package update (Bug 51532).
  • Rebuild with new ABI Version 1.5.8 for the samba update (Bug 51532).
  • Rebuild for new ldb library version (Bug 51121).

§6.4.8. Univention Directory Reports

  • Internal change: the UCR templates of univention-directory-reports are now python3 compatible (Bug 51095).

§6.4.9. License module

  • The previous package update in errata 619 caused the system activation to not work. The apache2 configuration is fixed with this update (Bug 51420).
  • The package now uses dh_python2 instead of python-support (Bug 51373).
  • Internal change: the UCR templates of univention-system-activation are now python3 compatible (Bug 51024).

§6.4.10. System diagnostic module

  • Permissions for /etc/freeradius/ssl are now also checked by the diagnostics module. Permissions for that path should be 2755 (Bug 50887).

§6.4.11. Filesystem quota module

  • Internal change: the UCR templates of univention-quota are now python3 compatible (Bug 51010).

§6.4.12. Other modules

  • It is now possible to assign the Portal Settings module to users and groups via UMC policies (Bug 50688).

§6.4.13. Development of modules for Univention Management Console

  • Internal change: The UMC module of univention-management-console-module-lib is now python3 compatible (Bug 51325).

§6.5. Univention base libraries

  • Internal improvement: Remove excessive log trace information from uLDAP methods __getstate__(), __setstate__() and parentDn() (Bug 51193).
  • The randomization mechanism during LDAP connection setup has been further improved so that it now prefers local LDAP servers over external LDAP servers (Bug 51182).
  • Internal change: the UCR templates of univention-ldap are now python3 compatible (Bug 51029).
  • The univention.lib Python modules are now Python 3 compatible (Bug 51592).

§6.6. Software deployment

  • Internal change: the UCR templates of univention-maintenance are now python3 compatible (Bug 51020).
  • Fix regression caused by erratum 605 to validate signatures of preup.sh and postup.sh scripts (Bug 51576).

§6.6.1. Software monitor

  • Internal change: the UCR templates of univention-pkgdb are now python3 compatible (Bug 51139).

§6.7. System services

§6.7.1. PostgreSQL

  • Internal change: the UCR templates of univention-postgresql are now python3 compatible (Bug 51112).

§6.7.2. MySQL and MariaDB

  • Internal change: the UCR templates of univention-mariadb are now python3 compatible (Bug 51137).

§6.7.3. Docker

  • Internal change: the UCR templates of univention-docker-container-mode are now python3 compatible (Bug 51132).
  • In /etc/systemd/system/docker.service.d/http-proxy.conf the UCR variable proxy/no_proxy is considered for the docker proxy settings (Bug 51031).
  • Internal change: the UCR templates univention-docker of are now python3 compatible (Bug 51132).

§6.7.4. SAML

  • It is now possible to activate SAML service provider for groups, not only for individual users (Bug 47567).
  • The Content-Security-Policy is now configurable via the saml/apache2/content-security-policy/. UCR variables (Bug 51211).
  • The self service can now be set up to allow users to create their own account (see also Bug #51067). For this new feature the SAML identity provider has been adapted, to be configurable to deny login for unverified, self registered accounts (Bug 51068).
  • The configuration of SAML identity providers has been extended by the possibility to configure an attribute mapping for the LDAP attributes required by the Service providers (Bug 48927).

§6.7.5. Univention self service

  • Nested groups are now correctly evaluated for Self Service white- and blacklists (Bug 51261).
  • The 'Forgot your password?' link on the login page was not shown by default anymore (Bug 51533).
  • Blacklists and whitelists for editing a user profile via the "Your profile" page of the Self Service and deleting an account via the "Delete my account" button on the "Your profile" page are no longer configured via the umc/self-service/passwordreset/{blacklist,whitelist}/{users,groups} UCR variables but the umc/self-service/profiledata/{blacklist,whitelist}/{users,groups} and umc/self-service/account-deregistration/{...} UCR variables respectively (Bug 51259).
  • The Self Service links in the hamburger menu are no longer visible if the corresponding Self Service page was disabled via UCR (Bug 51351).
  • The Content-Security-Policy is now configurable via the umc/self-service/content-security-policy/.* UCR variables (Bug 51211).
  • When requesting a new token, do not disclose the email address of the user (Bug 51152).
  • Users can now request the deletion of their account on the "Your profile" page of the Self Service. This feature can be activated via the umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
  • Added UCR variables to enable administrators to switch off all pages (and backend functions) individually (Bug 51001).
  • The self service now has an option that allows anonymous users to create self registered accounts. The feature is disabled by default (Bug 51067).

§6.7.6. Mail services

  • Internal change: the UCR templates of univention-fetchmail are now python3 compatible (Bug 51148).
  • Internal change: the UCR templates of univention-antivir-mail are now python3 compatible (Bug 51149).

§6.7.7. Dovecot

  • Internal change: the UCR templates of univention-mail-dovecot are now python3 compatible (Bug 51147).

§6.7.8. Postfix

  • Internal change: the UCR templates of univention-postgrey are now python3 compatible (Bug 51146).
  • Internal change: the UCR templates of univention-mail-postfix are now python3 compatible (Bug 51151).

§6.7.9. Spam/virus detection and countermeasures

  • Internal change: the UCR templates of univention-dansguardian are now python3 compatible (Bug 51144).

§6.7.10. Printing services

  • Internal change: the UCR templates of univention-printquota are now python3 compatible (Bug 51140).
  • A shell quoting error in the cups-printer listener module has been corrected which prevented the creation of printers for certain ACLs (Bug 51196).
  • Internal change: the UCR templates of univention-printserver are now python3 compatible (Bug 51129).

§6.7.11. Nagios

  • Internal change: the UCR templates of are univention-snmpd now python3 compatible (Bug 51143).
  • Internal change: the UCR templates of univention-nagios are now python3 compatible (Bug 51214).

§6.7.12. Apache

  • Internal change: the UCR templates of univention-apache are now python3 compatible (Bug 51077).

§6.7.13. RADIUS

  • Permissions for directory /etc/freeradius/ssl are now set during installation by join-script 80univention-radius. Permissions are also set via postinst script univention-radius.postinst (Bug 50887).
  • Internal change: the UCR templates of univention-radius are now python3 compatible (Bug 51130).

§6.7.14. Proxy services

  • Internal change: the UCR templates of univention-squid are now python3 compatible (Bug 51133).

§6.7.15. Kerberos

  • Internal change: the UCR templates of univention-heimdal are now python3 compatible (Bug 51016).

§6.7.16. SSL

  • Internal change: the UCR templates of univention-ssl are now python3 compatible (Bug 51022).

§6.7.17. DHCP server

  • Internal change: the UCR templates of univention-dhcp are now python3 compatible (Bug 51136).

§6.7.18. PAM / Local group cache

  • Internal change: the UCR templates of univention-sasl are now python3 compatible (Bug 51142).
  • Internal change: the UCR templates of univention-pam are now python3 compatible (Bug 51224).
  • Internal change: the UCR templates of univention-pam are now python3 compatible (Bug 51027).

§6.7.19. NFS

  • Internal change: the UCR templates of univention-nfs are now python3 compatible (Bug 51138).

§6.7.20. Other services

  • Internal change: the UCR templates of univention-firewall are now python3 compatible (Bug 51035).

§6.8. Desktop

  • Internal change: the UCR templates of univention-kdm are now python3 compatible (Bug 51218).

§6.9. Virtualization

§6.9.1. UCS Virtual Machine Manager (UVMM)

  • Internal change: the UCR templates of univention-virtual-machine-manager-daemon are now python3 compatible (Bug 51215).
  • Internal change: the UCR templates of univention-virtual-machine-manager-node are now python3 compatible (Bug 51215).
  • Internal change: the UCR templates of univention-virtual-machine-manager-schema are now python3 compatible (Bug 51215).

§6.9.2. Operate UCS as virtual machine

  • Internal change: the UCR templates of univention-cloud-init are now python3 compatible (Bug 51135).

§6.10. Services for Windows

§6.10.1. Samba

  • A python syntax error has been removed in the UCR configuration file /etc/samba/base.conf (Bug 51212).
  • Internal change: the UCR templates of univention-samba are now python3 compatible (Bug 51131).
  • Internal change: the UCR templates of univention-samba4 are now python3 compatible (Bug 51131).
  • Rebuild with new ABI Version 1.5.8 for the samba update (Bug 51532).

§6.10.2. Univention S4 Connector

§6.10.3. Univention Active Directory Connection

  • The synchronization of the pwdChangeNextLogin flag only worked if the password was reset at the same time. This behavior has been fixed (Bug 51585).
  • Fix UCS to AD Diff-Mode synchronization from the OpenLDAP attributes telephoneNumber, homePhone, mobilePhone and pager to the MS AD attributes otherTelephone, otherHomePhone, otherMobile and otherPager (Bug 51567).
  • Log the active mapping on startup (Bug 51518).
  • Basic profiling support via UCR connector/ad/poll/profiling (Bug 51518).
  • Ignore changes to a list of irrelevant attributes. The list can be extended via a new UCR variable connector/ad/mapping/attributes/irrelevant (Bug 18501).
  • The Diff-Mode synchronization technique originally implemented for the S4-Connector has been merged to the AD-Connector. This affects the replication of multi value attribute values such that only added and removed attribute values are modified on the destination system, but values unchanged on the source of replication are also unchanged on the destination. Before this update, all values of an attribute changed in the source LDAP got replaced in the destination LDAP. Please note that there is no change in the replication of group memberships, because they already have been replicated in Diff-Mode before (Bug 51462).
  • The flag pwdChangeNextLogin is now synced bidirectionally by the ad-connector (Bug 51298).
  • Internal change: the UCR templates of univention-ad-connector are now python3 compatible (Bug 51160).

§6.11. Other changes

  • When authenticating with an expired password via pam-krb5, heimdal prompted for a password change, which led to the password being overwritten with the old password. This behavior has been fixed (Bug 51462).
  • univention-directory-logger is now able to prefix related log lines with the same transaction ID. This new feature is automatically enabled on fresh installations of univention-directory-logger but remains disabled during updates. Set ldap/logging/id-prefix=yes to enable this feature manually (Bug 51082).
  • Add new PGP public key univention-archive-key-ucs-5x.gpg for UCS 5 and remove expired key univention-archive-key-ucs-3x.gpg from UCS-3 (Bug 51250).
  • Internal change: the UCR templates of univention-mozilla-firefox are now python3 compatible (Bug 51218).
  • Internal change: the UCR templates of univention-initrd are now python3 compatible (Bug 51019).
  • Internal change: the UCR templates of univention-kde are now python3 compatible (Bug 51218).
  • Internal change: the UCR templates of univention-spamassassin are now python3 compatible (Bug 51145).
  • Internal change: the UCR templates of are now python3 compatible (Bug 51086).
  • Internal change: the UCR templates of univention-directory-policy are now python3 compatible (Bug 51092).
  • Internal change: the UCR templates are now python3 compatible (Bug 51088).
  • Internal change: the UCR templates of univention-sudo are now python3 compatible (Bug 51023).
  • Check for usage of debian/*.pyinstall files to install Python modules (Bug 51106).
  • Check users of custom_{user,group}name() registering for required UCR variables (Bug 50056).
  • Check for packages declaring dependencies on Essential:yes packages (Bug 51476).
  • Check for usage of uLDAP.searchDn() (Bug 51375).
  • ucslint has been removed as a direct dependency from all UCS packages as it now runs directly from our CI pipeline (Bug 42294).
  • Debian maintainer script debian/*.{pre,post}{inst,rm} are now checked for handling wrong actions (Bug 43981).
  • Unjoin-script files are now checked for errors, too (Bug 48747).
  • The debian/changelogi file is checked for strict-monotonic entries. In the past this has lead to surprising update results as the timestamp of the latest entry is used for many things during the package build (Bug 49620).
  • debian/*.ucs files are checked more strictly due to the switch to Python 3. For example duplicate keys are now errors (Bug 49683).
  • New debhelper related files in debian/ are recognized (Bug 51246).
  • debian/*.dirs is now checked for unneeded entries which are already created indirectly by other steps (Bug 51247).
  • debian/compat is now checked for consistency with the declared versioned build dependency of debhelper in debian/control (Bug 51248).
  • UCS templates are checked for compatibility with Python 2 and 3 (Bug 51107).
  • Invalid Python string literals are now detected (Bug 51105).
  • The code base has been converted to Python 3 (Bug 49704).
  • Internal change: the UCR templates of univention-passwd-store are now python3 compatible (Bug 51008).
  • Internal change: the UCR templates of univention-x-core are now python3 compatible (Bug 51218).
  • Python 3 compatibility for the UMC debhelper scripts has been added (Bug 51235).
  • Do not set UCR variables LDAP/overlay/memberof/ before system is joined (Bug 47641).
  • Internal change: the UCR templates of univention-ldap-overlay-memberof are now python3 compatible (Bug 51096).
  • Modified the 'Change password' menu entry for future feature release compatibility (Bug 51181).
  • Internal change: the UCR templates of univention-printclient are now python3 compatible (Bug 51009).
  • Internal change: the UCR templates of univention-grub are now python3 compatible (Bug 51018).
  • Internal change: the UCR templates of univention-directory-manager-module-example are now python3 compatible (Bug 51216).
  • Internal change: the UCR templates of univention-admin-diary are now python3 compatible (Bug 51134).
  • Internal change: the UCR templates of univention-server are now python3 compatible (Bug 51011).
  • Internal change: the UCR templates of univention-network-manager are now python3 compatible (Bug 51021).