UCS 4.4 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 4.4-6


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante
3. Vorbereitung des Updates
4. Nachbereitung des Updates
5. Hinweise zum Einsatz einzelner Pakete
5.1. Erfassung von Nutzungsstatistiken
5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit
5.3. Empfohlene Browser für den Zugriff auf Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Univention Configuration Registry
6.2.1.1. Changes to templates and modules
6.2.2. Univention Python
6.3. Domain services
6.3.1. OpenLDAP
6.3.1.1. Listener/Notifier domain replication
6.3.2. DNS server
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Portal
6.4.3. Univention Management Console server
6.4.4. Univention App Center
6.4.5. Univention Directory Manager UMC modules and command line interface
6.4.6. Modules for system settings / setup wizard
6.4.7. Domain join module
6.4.8. Univention Directory Reports
6.4.9. License module
6.4.10. System diagnostic module
6.4.11. Process overview module
6.4.12. Filesystem quota module
6.4.13. Other modules
6.4.14. Development of modules for Univention Management Console
6.5. Univention base libraries
6.6. Software deployment
6.6.1. Software monitor
6.7. System services
6.7.1. PostgreSQL
6.7.2. MySQL and MariaDB
6.7.3. Docker
6.7.4. SAML
6.7.5. Univention self service
6.7.6. Mail services
6.7.7. Dovecot
6.7.8. Postfix
6.7.9. Spam/virus detection and countermeasures
6.7.10. Printing services
6.7.11. Nagios
6.7.12. Apache
6.7.13. RADIUS
6.7.14. Proxy services
6.7.15. Kerberos
6.7.16. SSL
6.7.17. DHCP server
6.7.18. PAM / Local group cache
6.7.19. NFS
6.7.20. Other services
6.8. Desktop
6.9. Virtualization
6.9.1. UCS Virtual Machine Manager (UVMM)
6.9.2. Operate UCS as virtual machine
6.10. Services for Windows
6.10.1. Samba
6.10.2. Univention S4 Connector
6.10.3. Univention Active Directory Connection
6.11. Other changes

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 4.4-6 steht das sechste Point-Release für Univention Corporate Server (UCS) 4.4 zur Verfügung. Es umfasst Funktionserweiterungen und Verbesserungen, neue Eigenschaften sowie diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Verbesserungen in der Benutzerselbstverwaltung über die Self-Service App. Dem Nutzer werden in der Self-Service App, z.B. beim Zurücksetzen des Passworts, vordefinierte Texte angezeigt. Administratoren können die Inhalte dieser Texte nun anpassen. Neu registrierte Nutzer werden aktiviert, sobald die E-Mailadresse des Nutzers erfolgreich verifiziert worden ist. Das Verhalten ist standardmäßig deaktiviert. Mit der Option ist es möglich, ein UCS mit Self-Service Modul zu betreiben, an dem sich Nutzer selbst registrieren und ihr Benutzerkonto nach erfolgreicher Validierung der E-Mailadresse zu verwenden.

  • App Center: Eigene Hook Scripte für Administratoren. UCS Systemadministratoren können jetzt auf einem UCS System eigene Scripte bei Apps hinterlegen, die vom App Center für eine nach Installation, Update oder Deinstallation ausgeführt werden. Damit können z.B. wiederkehrende manuelle Schritte nach einem App Update automatisiert werden, bei denen eine App z.B. an individuelle Gegebenheiten angepasst wird. Beispiel: Das Nachinstallieren von Schriften in die installierte Office App oder das Kopieren eines eigenen SSL Zertifikats in eine App.

  • UCS Portal: Warnung vor veralteten und nicht mehr unterstützten Browsern. Einem Nutzer wird eine Warnung beim Login am UCS Managementsystem angezeigt, falls ein nicht unterstützter Browser, wie z.B. Internet Explorer 11, verwendet wird. Die Warnung kann auch für das Portal aktiviert werden.

  • Verbesserungen in der Produktstabilität. Speicherleck in UMC Server behoben. Das führte u.a. dazu, dass der Nutzer Self-Service in größeren Umgebungen beim Ändern des eigenen Passworts nicht mehr funktionierte bis der UMC Server neu gestartet wurde. Beobachtete Absturzverhalten des LDAP Servers im Zusammenhang mit dem ppolicy Overlay Modul wurden behoben. Die UDM REST API kann jetzt mit Umlauten in in der URL eines API Aufrufs umgehen. Abgelaufene Benutzerpasswörter können nun im Single Sign On Anmeldefenster direkt neu gesetzt werden.

  • Diverse Security Updates wurden in UCS 4.4-6 integriert, bspw. für QEMU, bind9, den Linux Kernel und PHP. Eine vollständige Liste von Security- und Paketupdates ist in Kapitel 6 zu finden.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Domänencontroller Master wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Domänencontroller Master bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS-Installations-DVDs nur noch als 64-Bit-Variante

UCS-Installations-DVDs werden ab UCS 4 nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS 3 Systeme können weiterhin über das Online Repository oder über Update DVDs auf UCS 4 aktualisiert werden. Die 32-Bit-Architektur wird für die gesamte UCS 4 Maintenance noch unterstützt.

§Kapitel 3. Vorbereitung des Updates

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 10 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 4 GB zusätzlichen Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

Univention bietet ein Skript an, mit dem Probleme, die das Update des UCS Systems verhindern würden, schon vor dem Update erkannt werden können. Dieses Skript kann vor dem Update manuell auf das System geladen und ausgeführt werden:

# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}

# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg pre-update-checks-4.4.gpg \
        pre-update-checks-4.4 && bash pre-update-checks-4.4

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Kapitel 4. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 5. Hinweise zum Einsatz einzelner Pakete

§5.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§5.2. Umfang des Sicherheits-Supports von WebKit, Konqueror und QtWebKit

WebKit, Konqueror und QtWebKit werden in UCS im maintained-Zweig des Repositorys mitgeliefert, aber nicht durch Sicherheits-Updates unterstützt. WebKit wird vor allem für die Darstellung von HTML-Hilfeseiten u.ä. verwendet. Als Web-Browser sollte Firefox eingesetzt werden.

§5.3. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 71

  • Firefox ab Version 60

  • Safari und Safari Mobile ab Version 12

  • Microsoft Edge ab Version 18

Der Internet Explorer wird ab diesem Release nicht mehr von Univention Management Console unterstützt.

Mit älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 6. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 4.4-5:

§6.1. General

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

  • Fixed doing `open(..., 'rw')`, which is invalid with Python 3 (Bug 51680).
  • Move univention.debhelper into a separate package to break a build dependency cycle (Bug 51374).
  • Fix Python 3 interfaces API to use ipaddress from the standard library instead of the legacy `ipaddr` module no longer available in Debian 10 Buster (Bug 51368).
  • The Python 3 compatibility has been improved (Bug 51156).
  • Python absolute imports are now used in univention.config_registy.interfaces for Python 3 compatibility (Bug 51021).

§6.2.1.1. Changes to templates and modules

  • The UCR templates of univention-base-files have been adapted to be python2 and python3 compatible (Bug 51006).

§6.2.2. Univention Python

  • The Univention Configuration Registry variable password/quality/mspolicy has been added to allow configuration of standard MS password criteria. It is not active by default. When set to yes or true, this check is applied in addition to the python-cracklib checks. If set to sufficient, then it is done instead of the python-cracklib checks. See Univention Configuration Registry variable description for details (Bug 51994).

§6.3. Domain services

§6.3.1. OpenLDAP

  • Running OpenLDAP with overlay ppolicy could crash `slapd` and lead to a denial of service (Bug 37915).
  • The ppolicy default configuration now allows users to change their own password (Bug 51676).

§6.3.1.1. Listener/Notifier domain replication

  • To speed up replication of large LDAP objects, performance inhibiting code for logging will only be executed at the respective debug level (Bug 51236).
  • Due to a race condition, the memberOf attribute of user objects could have been incomplete on domaincontroller backup and domaincontroller slave systems. This problem has now been fixed. To get all user objects back in sync, the script /usr/share/univention-ldap-overlay-memberof/univention-update-memberof should be called once on every UCS domaincontroller (Bug 46590).
  • Do incremental updates for attribute `uniqueMember` of groups: Changes trigger the slapd overlay module `memberof`, which then needs to update all users of the group. This is inefficient with MOD_REPLACE as the overlay then has to walk over all users instead of only the added/removed users. During the walk each user object is touched and triggers a sub-transaction in OpenDLAP. With slow disks this even can lead to TIMEOUT errors as the LDAP connection is closed after 5 minutes by default (Bug 48545).
  • Internal change: the UCR templates of are now python3 compatible (Bug 51093).
  • Fix exception logging in corner cases (Bug 51061).
  • Minor code cleanup thanks to Github pull request by https://github.com/thomasbach-dev (Bug 51722).
  • A race condition between slapd and univention-directory-notifier could lead to a deadlock under certain conditions. This has been fixed (Bug 51722).
  • Internal change: the UCR templates of univention-directory-notifier are now python3 compatible (Bug 51091).
  • Internal change: the UCR templates of univention-directory-listener are now python3 compatible (Bug 51087).

§6.3.2. DNS server

  • Added a warning to the description of the UCR variable dns/backend not to use ldap on UCS domain controller systems running Samba4 (Bug 50501).
  • Internal change: the UCR templates of univention-bind are now python3 compatible (Bug 51102).
  • The start of the LDAP server has a timeout value to prevent deadlocks and allow monitoring solutions to log failed start attempts. That value was made configurable, because the necessary time depends on the number of domains. The variable is called dns/timeout-start (Bug 50662).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • The styling of the login dialog has been adjusted to allow long texts (Bug 51401).
  • The styling of the simplesamlphp error page has been enhanced (Bug 45445).
  • The message for outdated browsers has been adjusted (Bug 51753).
  • The error handling for static errors (e.g. 404 Not Found) do not display an "Inform vendor" button anymore (Bug 51719).
  • Some preparations for future development have been made (Bug 51220).
  • It is now possible to navigate to an UMC module without the overview of all UMC modules and have only that UMC module open. This can be achieved for example with: https://fqdn/univention/management/?overview=no#module=top (Bug 51185).
  • The styling for menu entries has been slightly adjusted (Bug 51180).
  • The error messages in input fields were sometimes not immediately shown. This problem has been addressed (Bug 51067).
  • References to objects containing umlauts (or non ASCII characters) in the DN have been fixed (Bug 50529).
  • Internal change: the UCR templates of univention-directory-manager-rest are now python3 compatible (Bug 51090).
  • After an automatic password rotation, configurable via UCR variable `server/password/interval`, the UDM REST API refused to deliver an openapi.json file and disallows further logins (Bug 50708).

§6.4.2. Univention Portal

  • Internal change: the UCR templates of univention-server-overview are now python3 compatible (Bug 51100).
  • A message can now be activated for the portal with the portal/show-outdated-browser-warning UCR variable that informs the user about the supported browsers, if the used browser is outdated (Bug 51753).
  • Users in the portal live edit mode are now able to see categories without any entries (Bug 50688).
  • The Apache template is now correctly updated when changing the UCR variable ucs/server/sso/fqdn (Bug 51211).
  • Internal change: the UCR templates of univention-portal are now python3 compatible (Bug 51099).

§6.4.3. Univention Management Console server

  • It is now possible to configure an additional password changing prompt via the UCR Variables umc/login/password-complexity-message/.* (Bug 51401).
  • The error message when a password change failed has been improved (Bug 51496).
  • Expired passwords can now be changed in the SAML login dialog (Bug 51492).
  • The styling of the simplesamlphp error page has been enhanced (Bug 45445).
  • The UCR variable umc/http/max-open-file-descriptors has been added and the default file descriptor limit for the univention-management-console-web-server has been increased to 65535 (Bug 51729).
  • The message for outdated browsers has been adjusted (Bug 51753).
  • Several memory leaks in the UMC server process have been fixed (Bug 50583).
  • The error handling for static errors (e.g. 404 Not Found) do not display an "Inform vendor" button anymore (Bug 51719).
  • The title of the login page is now configurable via the umc/login/texts/title/{de,en} UCR variables (Bug 51718).
  • Updated the meta.json file to include UCR variables to configure page titles of the Univention Self Service (Bug 51260).
  • LDAP connections in the session shutdown handling and during retrieval of user favorite modules are now closed properly (Bug 51367).
  • LDAP connections in the PAM handling are now closed after the authentication was performed (Bug 51366).
  • The UMC webserver is now Python 3 compatible (Bug 51353).
  • The UMC server components are now Python 3 compatible (Bug 51235).
  • Some preparations for the upcoming "Univention Portal" app have been made (Bug 51226).
  • The Content-Security-Policy for UMC and its login dialog is now configurable via the umc/http/content-security-policy/.* and umc/login/content-security-policy/.* UCR variables. The X-Frame-Options default header has been replaced with the Content-Security-Policy frame-ancestor setting (Bug 51211).
  • It is now possible to navigate to an UMC module without the overview of all UMC modules and have only that UMC module open. This can be achieved for example with: https://fqdn/univention/management/?overview=no#module=top (Bug 51185).
  • Users can now request the deletion of their account on the "Your profile" page of the Self Service. This feature can be activated via the umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
  • The meta.json now contains more variables for the self service pages (Bug 51001).
  • Internal change: the UCR templates of univention-management-console are now python3 compatible (Bug 51098).
  • The self service now has an option that allows anonymous users to create self registered accounts. The feature is disabled by default (Bug 51067).

§6.4.4. Univention App Center

  • Allow the execution of custom hooks after install, upgrade and remove (Bug 51790).
  • The App Center now mounts /etc/apt/apt.conf.d/80proxy from the UCS host read-only to the container with the name /etc/apt/apt.conf.d/81proxy (Bug 51034).
  • Internal change: the UCR templates of univention-appcenter are now python3 compatible (Bug 51101).
  • Support for UDP ports in docker compose file has been added (Bug 51069).

§6.4.5. Univention Directory Manager UMC modules and command line interface

  • The new UDM attribute "appendACL" of Samba shares can be used to define custom NT ACEs for share folders (Bug 52013).
  • The removal of dns/ptr_record objects when removing IP addresses from computers and no pointer record would be left over has been repaired (Bug 44710).
  • The Simple UDM API did not return an advanced list of DNs if the attribute was not set at all. It merely returned an empty list, which could lead to errors. This has been fixed (Bug 51184).
  • Internal improvement: Remove excessive log trace information from UDM modules method `__getitem__()` (Bug 51193).
  • SambaBadPasswordTime, the timestamp that is created when a user gets locked, can have a different time format than expected by udm when created by Samba3. This led to tracebacks in udm and rejects in the AD-Connector. Udm can handle this time format now (Bug 49697).
  • Internal change: the UCR templates of univention-directory-manager-modules are now python3 compatible (Bug 51089).
  • When initializing a module with a template, if the template has no options set, the defaults for the module options are kept instead of setting them all to true (Bug 51002).

§6.4.6. Modules for system settings / setup wizard

  • Proxy settings are now exported as environment variables during the setup (Bug 51799).
  • From now on the local unix password for the root account in the UCS appliance images is disabled until a proper password is set during the setup (Bug 51954). If a ssh login is required before the setup, the image has to be modified (e.g. add a ssh key for the root user).
  • Proxy settings configured in Univention System Setup are now used for http and https connections. They are applied to the Univention Configuration Registry variables proxy/http and proxy/https. Previously, only proxy/http was used (Bug 50613).
  • During the setup use sha-512 for the root password (Bug 51195).
  • Some unused code has been removed (Bug 51185).
  • Internal change: the UCR templates of univention-system-setup are now python3 compatible (Bug 51025).

§6.4.7. Domain join module

  • The dependency on the Admin diary package has been moved to `Recommends` to make it optional. Otherwise there is a circular package dependency between `univention-join` and `univention-admin-diary`, which leads to undesired behavior (Bug 51374).
  • Internal change: the UCR templates of univention-join are now python3 compatible (Bug 51095).
  • Restart univention-directory-listener on package update (Bug 51532).
  • Rebuild with new ABI Version 1.5.8 for the samba update (Bug 51532).
  • Rebuild for new ldb library version (Bug 51121).

§6.4.8. Univention Directory Reports

  • Internal change: the UCR templates of univention-directory-reports are now python3 compatible (Bug 51095).

§6.4.9. License module

  • The previous package update in errata 619 caused the system activation to not work. The apache2 configuration is fixed with this update (Bug 51420).
  • The package now uses `dh_python2` instead of `python-support` (Bug 51373).
  • Internal change: the UCR templates of univention-system-activation are now python3 compatible (Bug 51024).

§6.4.10. System diagnostic module

  • Permissions for /etc/freeradius/ssl are now also checked by the diagnostics module. Permissions for that path should be 2755 (Bug 50887).

§6.4.11. Process overview module

  • An error while querying of currently running processes has been corrected (Bug 49972).

§6.4.12. Filesystem quota module

  • Internal change: the UCR templates of univention-quota are now python3 compatible (Bug 51010).

§6.4.13. Other modules

  • It is now possible to assign the Portal Settings module to users and groups via UMC policies (Bug 50688).

§6.4.14. Development of modules for Univention Management Console

  • Internal change: The UMC module of univention-management-console-module-lib is now python3 compatible (Bug 51325).

§6.5. Univention base libraries

  • Internal improvement: Remove excessive log trace information from uldap methods `__getstate__()`, `__setstate__()` and `parentDn()` (Bug 51193).
  • The randomization mechanism during LDAP connection setup has been further improved so that it now prefers local LDAP servers over external LDAP servers (Bug 51182).
  • A new attribute "univentionShareSambaBaseDirAppendACL" was added to the LDAP schema of Samba shares (Bug 52013).
  • Internal change: the UCR templates of univention-ldap are now python3 compatible (Bug 51029).
  • The univention.lib Python modules are now Python 3 compatible (Bug 51592).

§6.6. Software deployment

  • Internal change: the UCR templates of univention-maintenance are now python3 compatible (Bug 51020).
  • The update to the next UCS version is now blocked if the previous postup.sh execution has failed (Bug 51880).
  • The UCR variable version/version and version/patchlevel are now set before the postup.sh is called (Bug 46465).
  • Fix regression caused by erratum 605 to validate signatures of `preup.sh` and `postup.sh` scripts (Bug 51576).

§6.6.1. Software monitor

  • Internal change: the UCR templates of univention-pkgdb are now python3 compatible (Bug 51139).

§6.7. System services

§6.7.1. PostgreSQL

  • Internal change: the UCR templates of univention-postgresql are now python3 compatible (Bug 51112).

§6.7.2. MySQL and MariaDB

  • Internal change: the UCR templates of univention-mariadb are now python3 compatible (Bug 51137).

§6.7.3. Docker

  • Internal change: the UCR templates of univention-docker-container-mode are now python3 compatible (Bug 51132).
  • In /etc/systemd/system/docker.service.d/http-proxy.conf the ucr var proxy/no_proxy is considered for the docker proxy settings (Bug 51031).
  • Internal change: the UCR templates univention-docker of are now python3 compatible (Bug 51132).

§6.7.4. SAML

  • Expired passwords can now be changed in the SAML login dialog (Bug 51492).
  • The possibility to report SAML errors can now be deactivated via the UCR variable saml/idp/show-error-reporting (Bug 51801).
  • The styling of the simplesamlphp error page has been enhanced (Bug 45445).
  • Add missing dependency on UCR variables for the login.{definition,translation}.json template files (Bug 51747).
  • The title of the login page is now configurable via the umc/login/texts/title/{de,en} UCR variables (Bug 51718).
  • It is now possible to activate SAML service provider for groups, not only for individual users (Bug 47567).
  • The Content-Security-Policy is now configurable via the saml/apache2/content-security-policy/. UCR variables (Bug 51211).
  • The self service can now be set up to allow users to create their own account (see also Bug #51067). For this new feature the SAML identity provider has been adapted, to be configurable to deny login for unverified, self registered accounts (Bug 51068).
  • The configuration of SAML identity providers has been extended by the possibility to configure an attribute mapping for the LDAP attributes required by the Service providers (Bug 48927).

§6.7.5. Univention self service

  • The error message when changing the password failed has been improved (Bug 51496).
  • If a password recovery email is successfully used to recover access to an account, that address will now be considered verified (Bug 51262).
  • The page titles are now configurable via the UCR variables `umc/self-service/{page}/title/{lang}` (Bug 51260).
  • Nested groups are now correctly evaluated for Self Service white- and blacklists (Bug 51261).
  • The 'Forgot your password?' link on the login page was not shown by default anymore (Bug 51533).
  • Blacklists and whitelists for editing a user profile via the "Your profile" page of the Self Service and deleting an account via the "Delete my account" button on the "Your profile" page are no longer configured via the umc/self-service/passwordreset/{blacklist,whitelist}/{users,groups} UCR variables but the umc/self-service/profiledata/{blacklist,whitelist}/{users,groups} and umc/self-service/account-deregistration/{...} UCR variables respectively (Bug 51259).
  • The Self Service links in the hamburger menu are no longer visible if the corresponding Self Service page was disabled via UCR (Bug 51351).
  • The Content-Security-Policy is now configurable via the umc/self-service/content-security-policy/.* UCR variables (Bug 51211).
  • When requesting a new token, do not disclose the email address of the user (Bug 51152).
  • Users can now request the deletion of their account on the "Your profile" page of the Self Service. This feature can be activated via the umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
  • Added UCR variables to enable administrators to switch off all pages (and backend functions) individually (Bug 51001).
  • The self service now has an option that allows anonymous users to create self registered accounts. The feature is disabled by default (Bug 51067).

§6.7.6. Mail services

  • Internal change: the UCR templates of univention-fetchmail are now python3 compatible (Bug 51148).
  • Internal change: the UCR templates of univention-antivir-mail are now python3 compatible (Bug 51149).

§6.7.7. Dovecot

  • Internal change: the UCR templates of univention-mail-dovecot are now python3 compatible (Bug 51147).

§6.7.8. Postfix

  • Internal change: the UCR templates of univention-postgrey are now python3 compatible (Bug 51146).
  • Internal change: the UCR templates of univention-mail-postfix are now python3 compatible (Bug 51151).

§6.7.9. Spam/virus detection and countermeasures

  • Internal change: the UCR templates of univention-dansguardian are now python3 compatible (Bug 51144).

§6.7.10. Printing services

  • Internal change: the UCR templates of univention-printquota are now python3 compatible (Bug 51140).
  • A shell quoting error in the cups-printer listener module has been corrected which prevented the creation of printers for certain ACLs (Bug 51196).
  • Internal change: the UCR templates of univention-printserver are now python3 compatible (Bug 51129).

§6.7.11. Nagios

  • Internal change: the UCR templates of are univention-snmpd now python3 compatible (Bug 51143).
  • Internal change: the UCR templates of univention-nagios are now python3 compatible (Bug 51214).

§6.7.12. Apache

  • Internal change: the UCR templates of univention-apache are now python3 compatible (Bug 51077).

§6.7.13. RADIUS

  • Permissions for directory /etc/freeradius/ssl are now set during installation by join-script 80univention-radius. Permissions are also set via postinst script univention-radius.postinst (Bug 50887).
  • Internal change: the UCR templates of univention-radius are now python3 compatible (Bug 51130).

§6.7.14. Proxy services

  • Internal change: the UCR templates of univention-squid are now python3 compatible (Bug 51133).

§6.7.15. Kerberos

  • Internal change: the UCR templates of univention-heimdal are now python3 compatible (Bug 51016).

§6.7.16. SSL

  • Internal change: the UCR templates of univention-ssl are now python3 compatible (Bug 51022).
  • The list of public SSL root certificates has been updated (Bug 51732).

§6.7.17. DHCP server

  • Internal change: the UCR templates of univention-dhcp are now python3 compatible (Bug 51136).

§6.7.18. PAM / Local group cache

  • Internal change: the UCR templates of univention-sasl are now python3 compatible (Bug 51142).
  • Internal change: the UCR templates of univention-pam are now python3 compatible (Bug 51224).
  • Internal change: the UCR templates of univention-pam are now python3 compatible (Bug 51027).

§6.7.19. NFS

  • Internal change: the UCR templates of univention-nfs are now python3 compatible (Bug 51138).

§6.7.20. Other services

  • Internal change: the UCR templates of univention-firewall are now python3 compatible (Bug 51035).

§6.8. Desktop

  • Internal change: the UCR templates of univention-kdm are now python3 compatible (Bug 51218).

§6.9. Virtualization

§6.9.1. UCS Virtual Machine Manager (UVMM)

  • Internal change: the UCR templates of univention-virtual-machine-manager-daemon are now python3 compatible (Bug 51215).
  • Fix UCR template installation for package univention-virtual-machine-manager-node-common, which makes the KVM node reachable via network again (Bug 51739).
  • Internal change: the UCR templates of univention-virtual-machine-manager-node are now python3 compatible (Bug 51215).
  • Internal change: the UCR templates of univention-virtual-machine-manager-schema are now python3 compatible (Bug 51215).

§6.9.2. Operate UCS as virtual machine

  • Internal change: the UCR templates of univention-cloud-init are now python3 compatible (Bug 51135).

§6.10. Services for Windows

§6.10.1. Samba

  • The Samba share listener will now apply all modified NT ACEs given in the UDM attribute "appendACL" to share folders (Bug 52013).
  • A python syntax error has been removed in the UCR configuration file /etc/samba/base.conf (Bug 51212).
  • Internal change: the UCR templates of univention-samba are now python3 compatible (Bug 51131).
  • The Samba share listener will now apply all modified NT ACEs given in the UDM attribute "appendACL" to share folders (Bug 52013).
  • Internal change: the UCR templates of univention-samba4 are now python3 compatible (Bug 51131).
  • Rebuild with new ABI Version 1.5.8 for the samba update (Bug 51532).

§6.10.2. Univention S4 Connector

§6.10.3. Univention Active Directory Connection

  • Support ldaps configuration in univention-ad-search and univention-connector-list-rejected (Bug 51673).
  • Fix error handling regression of Bug #51518 (Bug 51915).
  • In AD connections with `read` configuration (e.g. in AD member mode) changes to the AD attribute `mail` did not get synchronized to the UDM/OpenLDAP attribute `mailPrimaryAddress` any more since Erratum 636 (Bug 51647).
  • The synchronization of the pwdChangeNextLogin flag only worked if the password was reset at the same time. This behavior has been fixed (Bug 51585).
  • Fix UCS to AD Diff-Mode synchronization from the OpenLDAP attributes telephoneNumber, homePhone, mobilePhone and pager to the MS AD attributes otherTelephone, otherHomePhone, otherMobile and otherPager (Bug 51567).
  • Log the active mapping on startup (Bug 51518).
  • Basic profiling support via UCR connector/ad/poll/profiling (Bug 51518).
  • Ignore changes to a list of irrelevant attributes. The list can be extended via a new UCR variable connector/ad/mapping/attributes/irrelevant (Bug 18501).
  • The Diff-Mode synchronization technique originally implemented for the S4-Connector has been merged to the AD-Connector. This affects the replication of multi value attribute values such that only added and removed attribute values are modified on the destination system, but values unchanged on the source of replication are also unchanged on the destination. Before this update, all values of an attribute changed in the source LDAP got replaced in the destination LDAP. Please note that there is no change in the replication of group memberships, because they already have been replicated in Diff-Mode before (Bug 51462).
  • The flag pwdChangeNextLogin is now synced bidirectionally by the adconnector (Bug 51298).
  • Internal change: the UCR templates of univention-ad-connector are now python3 compatible (Bug 51160).

§6.11. Other changes

  • Re-add univention-archive-key-ucs-3x.gpg. This fixes an issue that a UCS repository mirror could not download packages (Bug 51603).
  • Add new PGP public key univention-archive-key-ucs-5x.gpg for UCS 5 and remove expired key univention-archive-key-ucs-3x.gpg from UCS-3 (Bug 51250).
  • Internal change: the UCR templates of univention-mozilla-firefox are now python3 compatible (Bug 51218).
  • Internal change: the UCR templates of univention-initrd are now python3 compatible (Bug 51019).
  • Internal change: the UCR templates of univention-kde are now python3 compatible (Bug 51218).
  • Make http_proxy environment variable accessible by the spamassasin cron job (Bug 44489).
  • Internal change: the UCR templates of univention-spamassassin are now python3 compatible (Bug 51145).
  • Internal change: the UCR templates of are now python3 compatible (Bug 51086).
  • Internal change: the UCR templates of univention-directory-policy are now python3 compatible (Bug 51092).
  • Internal change: the UCR templates are now python3 compatible (Bug 51088).
  • univention-directory-logger is now able to prefix related log lines with the same transaction ID. This new feature is automatically enabled on fresh installations of univention-directory-logger but remains disabled during updates. Set ldap/logging/id-prefix=yes to enable this feature manually (Bug 51082).
  • Internal change: the UCR templates of univention-sudo are now python3 compatible (Bug 51023).
  • Check for old upgrade code (Bug 51611).
  • Allow line specific overrides (Bug 33736).
  • Allow using Python 3 (Bug 51637).
  • Check for well-known SIDs (Bug 33737).
  • Check for common shell issues (Bug 51612).
  • Check for usage of `debian/*.pyinstall` files to install Python modules (Bug 51106).
  • Check users of `custom_{user,group}name()` registering for required UCR variables (Bug 50056).
  • Check for packages declaring dependencies on `Essential:yes` packages (Bug 51476).
  • Check for usage of `uldap.searchDn()` (Bug 51375).
  • `ucslint` has been removed as a direct dependency from all UCS packages as it now runs directly from our CI pipeline (Bug 42294).
  • Debian maintainer script `debian/*.{pre,post}{inst,rm}` are now checked for handling wrong actions (Bug 43981).
  • Un-joinscript files are now checked for errors, too (Bug 48747).
  • The `debian/changelog` file is checked for strict-monotonic entries. In the past this has lead to surprising update results as the timestamp of the latest entry is used for many things during the package build (Bug 49620).
  • `debian/*.ucs files are checked more strictly due to the switch to Python 3. For example duplicate keys are now errors (Bug 49683).
  • New `debhelper` related files in `debian/` are recognized (Bug 51246).
  • `debian/*.dirs` is now checked for unneeded entries which are already created indirectly by other steps (Bug 51247).
  • `debian/compat` is now checked for consistency with the declared versioned build dependency of `debhelper` in `debian/control` (Bug 51248).
  • UCS templates are checked for compatibility with Python 2 and 3 (Bug 51107).
  • Invalid Python string literals are now detected (Bug 51105).
  • The code base has been converted to Python 3 (Bug 49704).
  • Internal change: the UCR templates of univention-passwd-store are now python3 compatible (Bug 51008).
  • Internal change: the UCR templates of univention-x-core are now python3 compatible (Bug 51218).
  • Python 3 compatibility for the UMC debhelper scripts has been added (Bug 51235).
  • Do not set UCR variables `ldap/overlay/memberof/` before system is joined (Bug 47641).
  • Internal change: the UCR templates of univention-ldap-overlay-memberof are now python3 compatible (Bug 51096).
  • Modified the 'Change password' menu entry for future feature release compatibility (Bug 51181).
  • When authenticating with an expired password via pam-krb5, heimdal prompted for a password change, which led to the password being overwritten with the old password. This behavior has been fixed (Bug 51462).
  • Internal change: the UCR templates of univention-printclient are now python3 compatible (Bug 51009).
  • Internal change: the UCR templates of univention-grub are now python3 compatible (Bug 51018).
  • Internal change: the UCR templates of univention-directory-manager-module-example are now python3 compatible (Bug 51216).