Table of Contents
With Univention Corporate Server 4.4-7, the seventh point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
Editing your own contact information on the UCS Self Service is possible with existing Single Sign On registration.
Administrators can use the UCR variable umc/cookie-banner/show to control the display of a banner that informs users about the use of cookies when using the UCS portal and other services.
In S4 Connector and AD Connector a bug was fixed that after moving or deactivating user objects, these objects were still assigned to groups that were no longer relevant for them.
The update to Samba 4.10.18 mitigates the Zerologon security issue, new options allow secure configuration in environments where Secure Channel must be used.
Various security updates have been integrated into UCS 4.4-7, e.g. Postgresql, Samba, the Linux Kernel and PHP. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-6:
All security updates issued for UCS 4.4-6 are included:
The following updated packages from Debian Stretch 9.13 are included (Bug 52381): php-pear, libdatetime-timezone-perl, linux-latest, tzdata, activemq, blueman, bouncycastle, cargo, cimg, dompurify.js, drupal7, eclipse-wtp, fastd, gcc-mozilla, golang-1.7, golang-1.8, golang-go.crypto, guacamole-server, httpcomponents-client, inspircd, jackson-databind, jruby, junit4, jupyter-notebook, linux-4.19, linux-latest-4.19, llvm-toolchain-7, mediawiki, moin, nfdump, nodejs-mozilla, obfs4proxy, pacemaker, packagekit, packer, phpmyadmin, puma, rails, rclone, restic, ruby-gon, ruby-json-jwt, ruby-rack-cors, rust-cbindgen, rustc, sddm, snmptt, spice-gtk, sympa, thunderbird, tigervnc, tomcat8, wordpress, yaws, zabbix
meta.json from UMC, but the inexpensive one from Apache directly (Bug 52303).
umc/cookie-banner/show to true (Bug 50302).
meta.json, which would involve UMC. The portal does not need the additional information and may save one expensive request (Bug 52303).
/univention/get/meta involves a call to UMC. This is not always necessary. Now it is possible to fetch a stripped down static version instead. This patch moves the meta file into a public folder (Bug 52303).
appcenter/app has been updated to be compatible to python3.
The joinscript has been updated to specify a --ucsversionend option with the
ucs_registerLDAPExtension calls. This is required in preparation for UCS 5.0
(Bug 52429).
meta.json file was changed. This change is internal (Bug 52303).
userChrome.css (Bug 52160).
univention-run-join-scripts now validates command line arguments and does not run all scripts if an unknown parameter is given (Bug 46985).
ucs_registerLDAPExtension offers an additional option --name
which can be used to specify the RDN of the LDAP object. This can be useful
if two versions of a UDM or LDAP extension need to be active simultaneously in the domain,
e.g. one being only compatible to python2, but still required for UCS 4.4-based systems in the domain
and another being only compatible to python3, required for the systems which at some point will
have updated to UCS 5. This may be useful in preparation to the UCS 5.0 release (Bug 52433).
clean_old_backups has been fixed (Bug 51765).
meta.json, which would involve UMC. The site does not need the additional information and may save one expensive request (Bug 52303).
/var/lib/simplesamlphp/secrets.inc.php which contains the simplesamlphp administration password could be read by any local user (Bug 51922).
/etc/simplesamlphp/serviceprovider_enabled_groups.json This fixes a bug where SAML permissions applied to groups could not be evaluated (Bug 51608).
umc/self-service/passwordreset/token_validity_period is now evaluated correctly (Bug 51287).
umc/self-service/allow-authenticated-use to true. When enabling the behavior all UCR variables for the Self-Service which are set on the DC Master must be set identically on the Self-Service System (Bug 51607).
--ucsversionend option with the ucs_registerLDAPExtension calls.
This is required in preparation for UCS 5.0 (Bug 52426).
apache2/server-limit apache2/start-servers apache2/min-spare-threads apache2/max-spare-threads apache2/threads-per-child apache2/server-signature apache2/server-tokens apache2/server-admin (Bug 51294).
create/spn/account/timeout sets the timeout for how long the system waits for successful synchronization of the SPN account during a domain join. The default timeout has been increased to 10800s (Bug 51835).
--ucsversionend option with the
ucs_registerLDAPExtension calls. This is required in preparation for UCS 5.0
(Bug 52428).
connector/s4/mapping/domainpolicy=yes. The schema file n_domainpolicy.schema has to be activated beforehand. See the manual for more information (Bug 51782).
/etc/univention/connector/localmapping.py. The manual has details on how to write this file (Bug 49981).