Table of Contents
With Univention Corporate Server 4.4-6, the sixth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
Improvements in user self management via the Self Service App. The Self Service App displays predefined texts to the user, e.g. when resetting the password. Administrators can now adjust the contents of these texts. Newly registered users are activated as soon as the user's e-mail address has been successfully verified. This behavior is disabled by default. With this option it is possible to run a UCS with Self Service Module where users register themselves and use their user account after successful validation of the email address.
App Center: Custom hook scripts for administrators. UCS system administrators can now store their own scripts on a UCS system with apps that are executed by the App Center for a post-installation, update or uninstallation. This allows e.g. recurring manual steps after an app update to be automated, e.g. adapting an app to individual conditions. Example: The subsequent installation of fonts in the installed Office App or the copying of an own SSL certificate into an App.
UCS Portal: Warning about outdated and no longer supported browsers. A warning is displayed to a user when logging in to the UCS management system if an unsupported browser, such as Internet Explorer 11, is used. The warning can also be activated for the portal.
Improvements in product stability.
Memory Leak in UMC Server fixed. Among other things, this caused the user self service in larger environments to stop working when changing their password until the UMC Server was restarted.
Observed crash behavior of the LDAP server in connection with the ppolicy overlay module was fixed.
The UDM REST API can now handle umlauts in the URL of an API call.
Expired user passwords can now be reset directly in the Single Sign On login window.
Various security updates have been integrated into UCS 4.4-6, e.g. QEMU, bind9, the Linux Kernel and PHP. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-5:
All security updates issued for UCS 4.4-5 are included:
The following updated packages from Debian Stretch 9.13 are included (Bug 52026): gnome-shell, base-files, libdbi, linux-latest, neon27, postfix, proftpd-dfsg, sendmail, squid3, tzdata, websockify, xdg-utils, xml-security-c, acmetool, asyncpg, atril, batik, c-icap-modules, chasquid, checkstyle, compactheader, cram, csync2, debian-installer, debian-installer-netboot-images, debian-security-support, fex, file-roller, firejail, fwupd, golang-github-seccomp-libseccomp-golang, gosa, grunt, gssdp, gupnp, heartbleeder, htmlunit, icingaweb2, inetutils, iptables-persistent, jackson-databind, jruby, ksh, lemonldap-ng, libapache2-mod-auth-openidc, libbusiness-hours-perl, libclamunrar, libembperl-perl, libetpan, libjackson-json-java, libpam-radius-auth, linux-4.19, linux-latest-4.19, luajit, lucene-solr, mailman, megatools, mercurial, milkytracker, mod-gnutls, mongo-tools, mongodb, mupdf, ndpi, netty, netty-3.9, nginx, node-url-parse, nvidia-graphics-drivers, pcl, php-horde, php-horde-core, php-horde-data, php-horde-form, php-horde-gollem, php-horde-kronolith, php-horde-trean, phpmyadmin, python-icalendar, python-pip, rails, ros-actionlib, roundcube, ruby-json, ruby-kramdown, ruby-rack, ruby-websocket-extensions, ruby-zip, salt, shiro, software-properties, sogo-connector, ssvnc, storebackup, swt-gtk, thunderbird, tinyproxy, tomcat8, transmission, uwsgi, wordpress, xrdp, xtrlock, zabbix
The following packages have been moved to the maintained repository of UCS: univention-debhelper (Bug 51374)
`open(..., 'rw')`, which is invalid with Python 3 (Bug 51680).
password/quality/mspolicy has been added to allow
configuration of standard MS password criteria. It is not active by default.
When set to yes or true, this check is applied
in addition to the python-cracklib checks. If set to
sufficient, then it is done instead of the python-cracklib
checks. See Univention Configuration Registry variable description for details (Bug 51994).
domaincontroller backup and domaincontroller slave systems. This problem has now been fixed. To get all user objects back in sync, the script /usr/share/univention-ldap-overlay-memberof/univention-update-memberof should be called once on every UCS domaincontroller (Bug 46590).
dns/timeout-start (Bug 50662).
openapi.json file and disallows further logins (Bug 50708).
meta.json file to include UCR variables to configure page titles of the Univention Self Service (Bug 51260).
meta.json now contains more variables for the self service pages (Bug 51001).
/etc/apt/apt.conf.d/80proxy from the UCS host read-only to the container with the name /etc/apt/apt.conf.d/81proxy (Bug 51034).
unix password for the root account in the UCS appliance images is disabled
until a proper password is set during the setup (Bug 51954). If a ssh login is
required before the setup, the image has to be modified (e.g. add a ssh key for the root user).
/etc/freeradius/ssl are now also checked by the diagnostics module. Permissions for that path should be 2755 (Bug 50887).
/etc/systemd/system/docker.service.d/http-proxy.conf the ucr var proxy/no_proxy is considered for the docker proxy settings (Bug 51031).
login.{definition,translation}.json template files (Bug 51747).
/etc/samba/base.conf (Bug 51212).
Diff-Mode synchronization from the OpenLDAP attributes telephoneNumber, homePhone, mobilePhone and pager to the MS AD attributes otherTelephone, otherHomePhone, otherMobile and otherPager (Bug 51567).
Diff-Mode synchronization technique originally implemented for the S4-Connector has been merged to the AD-Connector. This affects the replication of multi value attribute values such that only added and removed attribute values are modified on the destination system, but values unchanged on the source of replication are also unchanged on the destination. Before this update, all values of an attribute changed in the source LDAP got replaced in the destination LDAP. Please note that there is no change in the replication of group memberships, because they already have been replicated in Diff-Mode before (Bug 51462).
univention-archive-key-ucs-3x.gpg. This fixes an issue that a UCS repository mirror could not download packages (Bug 51603).
univention-archive-key-ucs-5x.gpg for UCS 5 and remove expired key univention-archive-key-ucs-3x.gpg from UCS-3 (Bug 51250).
ldap/logging/id-prefix=yes to enable this feature manually (Bug 51082).
`debian/*.pyinstall` files to install Python modules (Bug 51106).
`debian/*.dirs` is now checked for unneeded entries which are already created indirectly by other steps (Bug 51247).
`debian/compat` is now checked for consistency with the declared versioned build dependency of `debhelper` in `debian/control` (Bug 51248).
`ldap/overlay/memberof/` before system is joined (Bug 47641).