UCS 4.4 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.4-9


Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVD only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Notes on selected packages
5.1. UEFI Secure Boot
5.2. Collection of usage statistics
5.3. Scope of security support for WebKit, Konqueror and QtWebKit
5.4. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Domain services
6.2.1. OpenLDAP
6.2.1.1. Listener/Notifier domain replication
6.2.2. DNS server
6.3. Univention Management Console
6.3.1. Univention Management Console web interface
6.3.2. Univention Management Console server
6.3.3. Univention App Center
6.3.4. Univention Directory Manager UMC modules and command line interface
6.3.5. Domain join module
6.3.6. System diagnostic module
6.3.7. Other modules
6.4. Univention base libraries
6.5. Software deployment
6.6. System services
6.6.1. SAML
6.6.2. Dovecot
6.6.3. Postfix
6.6.4. Nagios
6.6.5. RADIUS
6.6.6. SSL
6.6.7. DHCP server
6.7. Virtualization
6.7.1. UCS Virtual Machine Manager (UVMM)
6.8. Services for Windows
6.8.1. Samba
6.8.2. Univention S4 Connector
6.8.3. Univention Active Directory Connection
6.9. Other changes

§Chapter 1. Release Highlights

With Univention Corporate Server 4.4-9, the ninth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:

  • The security and usability of Univention Management Console has been improved.

  • The UDM REST API scales better.

  • The robustness and performance of Listener/Notifier replication has been improved.

  • The Linux kernel has been updated to version 4.19.235.

  • Various security updates have been integrated into UCS 4.4-9, for example for PostgreSQL, Samba, the Linux Kernel and MariaDB.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.

# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}

# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-5x.gpg \
        pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Notes on selected packages

§5.1. UEFI Secure Boot

Secure Boot builds a chain of trust from the UEFI firmware to the Linux kernel. Any modification before the Linux kernel gets started is detected and aborts the boot process. This technique can be used to prevent boot viruses from infecting the system.

In July 2020 a major defect was detected in GRUB and the Linux kernel: Attackers can modify the environment before the Linux kernel is fully loaded and can disable secure boot. This affected nearly all Linux distributions including Univention Corporate Server. Microsoft thus revoked all previously signed versions of shim, which breaks the secure boot chain at its earliest stage. As soon as the UEFI firmware is updated or Microsoft Windows runs on the same hardware and updates the list of revoked binaries, UCS 4.4 can no longer be booted.

For 4.4-9 it was planed to update all components to have again a working UEFI installation with Secure Boot enabled. In the meantime new issues have been found in grub2 and shim. Because of that Microsoft currently does not sign any version of shim. Therefor UCS 4.4-9 only ships with the new Linux Kernel 4.19.235; older versions will no longer be allowed in the future.

An update of grub2 and shim is planned for UCS 4.4-10. Until then the revoked version of shim will still be used. If the system no longer boots after updating the revocation lists, Secure Boot has to be turned off for the time being. Updating to UCS 5.0 is another alternative.

§5.2. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.3. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.4. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 71

  • Firefox as of version 60

  • Safari and Safari Mobile as of version 12

  • Microsoft Edge as of version 18

As of this release Internet Explorer is not supported by Univention Management Console anymore.

Users running older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.4-8:

§6.1. General

§6.2. Domain services

§6.2.1. OpenLDAP

  • The behavior of the translog overlay was modified to skip grandchildren of the cn=temporary,cn=univention container. This new behavior can be controlled by the Univention Configuration Registry variable ldap/translog-ignore-temporary. This reduces the number of replication transactions during creation of users and groups significantly. As a result it increases the replication performance and reduces the rate at which the cn=translog LMDB backend database gets filled. This variable is applicable only to the Primary Directory Node. The package univention-ldap-server activates this variable by default (Bug 54446).
  • Update file last_id atomically (Bug 53821).
  • Log error if file listener/listener cannot be written (Bug 53821).
  • Consistently write <TransID> if last_id could not be determined as all (Bug 53821).
  • Check file listener/listener if getting last_id fails (Bug 53821).

§6.2.1.1. Listener/Notifier domain replication

  • Remove unused code leading to problems while updating to UCS 5 (Bug 52956).
  • Set listener module replication.py priority directly in the file (Bug 54504).
  • Log messages of univention-translog have been improved (Bug 53821).
  • The script univention-translog now also checks the file listener/listener.priv if that exists (Bug 53821).
  • The script univention-translog recognizes the special values <TransID> and 0 and is able to fix them (Bug 53821).
  • Restarting the systemd unit is now limited to 50 times in an observation window of 1000 seconds (Bug 53821).
  • The notifier aborts if the transaction ID issued by the OpenLDAP translog overlay is not a valid integer (Bug 53821).
  • Remove hard-coded replication.py listener module priority from univention-directory-listener. Instead, the priority is now set by package univention-directory-replication (Bug 54504).
  • Add missing dependency on python-typing (Bug 54322).
  • Make module execution order configurable by explicitly specifying a priority (Bug 54061).

§6.2.2. DNS server

  • Server password change now logs timestamps (Bug 54019).

§6.3. Univention Management Console

§6.3.1. Univention Management Console web interface

  • Functionality of some widgets has been adjusted for specific use cases (Bug 53847).
  • The DateBox and TimeBox widgets now handle empty values correctly and support the date2 syntax again (Bug 53675).
  • The login page no longer has the Login entry in the menu (Bug 53617).
  • The cache settings of Univention Management Console have been enhanced and relaxed to fix caching issues after the upgrade to UCS 5.0 (Bug 37720).
  • The UDM REST API now supports multiprocessing via the Univention Configuration Registry variable directory/manager/rest/processes. Further details can be found in performance guide (Bug 53669).
  • The configuration of log rotation for the UDM REST API logfiles has been added (Bug 53986).

§6.3.2. Univention Management Console server

  • The login page no longer has the Login entry in the menu (Bug 53617).
  • Access to the Univention Management Console has been repaired if the user is allowed to use only one module which does not have a flavor (Bug 53710).
  • SAML logouts which are initiated by another service provider are now correctly handled (Bug 53638).
  • The new Univention Configuration Registry variable umc/http/enforce-secure-cookie can be set to make cookies secure when using a HTTPS connection (Bug 53511).
  • The new Univention Configuration Registry variable umc/http/enforce-session-cookie can be set to make the login cookie a session cookie: Closing the browser will delete the cookie, effectively logging out the user (Bug 52353).
  • The cache settings of Univention Management Console have been enhanced and relaxed to fix caching issues after the upgrade to UCS 5.0 (Bug 37720).
  • When being logged in via SAML a refresh of the SAML authentication at the UMC server (or LDAP server) is now done correctly again after the validity of the SAML message expired (Bug 54229).

§6.3.3. Univention App Center

  • Fixed a regression where the App installation failed if the App had certain App settings (Bug 53677).
  • App settings of the scope outside are now applied on the system before the App's preinst script (Bug 53609).

§6.3.4. Univention Directory Manager UMC modules and command line interface

  • Expose the parameter sizelimit in the simple UDM API (Bug 53832).
  • Make LDAP object classes and attribute names selectable (Bug 31857).
  • Make options in Extended Attributes selectable (Bug 25054).
  • Add syntax class to select UDM syntax class for Extended Attributes (Bug 52683).
  • UDM now enforces uniqueness of the name of objects in the same subtree position (Bug 53725).
  • It is now possible to set an account activation date for users, e.g. via the property accountActivationDate in the UDM users/user module (Bug 53675).
  • The simple UDM API now exposes the option remove_childs from the UDM function remove() in the method delete() to recursively delete objects below the DN of the object that is being deleted (Bug 53620).
  • ucs_registerLDAPExtension from the UCS shell function library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53362).
  • Users/LDAP objects could not be created if the mspolicy password complexity criteria was configured due to the missing displayname (Bug 52446).
  • Turkish umlauts are now correctly converted to ASCII letters (Bug 52878).
  • When setting an user as a member of a group in UDM, that had the same UID but a different DN of another member, the related attribute memberUid of the group got dropped. This happened in the cool Solution user-group-sync during move operations (Bug 54487).
  • UDM can now handle environments where the module refint for uniqueMember has been enabled (Bug 48956).
  • Adding and removing users to/from large groups is now faster (Bug 51233).

§6.3.5. Domain join module

  • The file permissions of files /etc/machine.secret.SAVE are now set before the files are written (Bug 49033).
  • Rebuilt to match the new LDB package version (Bug 54014).

§6.3.6. System diagnostic module

  • The system diagnostic check no longer shows false positives when a HTTP proxy is used (Bug 53575).
  • The new check 61_notifier_protocol_version will now be skipped on systems without univention-directory-notifier and therefore no longer produces false positive results (Bug 54365).
  • A diagnostic module has been added to check the Univention Configuration Registry variable notifier/protocol/version (Bug 50733).

§6.3.7. Other modules

  • While copying an user object entries were not filled correctly and therefore saving was not possible (Bug 53859).
  • Empty values are now prepended to static values for certain widgets if the syntax class requires this (Bug 53675).
  • Rewriting properties of apps using App Options changed the original options leading to follow up errors especially in the UDM REST API (Bug 53715).
  • The user creation wizard now shows the mailPrimaryAdress if it is required. The default value and visibility of widgets in the user creation wizard can now be configured via UCR (Bug 53514).

§6.4. Univention base libraries

  • UDM now enforces uniqueness of the name of objects in the same subtree position (Bug 53725).
  • ucs_registerLDAPExtension from the UCS shell function library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53362).
  • The cache settings of Univention Management Console have been enhanced and relaxed to fix caching issues after the upgrade to UCS 5.0 (Bug 37720).
  • The package univention-ldb-modules has been rebuilt to match the new version of package ldb (Bug 54014).
  • A new shell library function echowithtimestamp was added (Bug 54019).

§6.5. Software deployment

  • Prevent non-blocking components to crash the UMC updater module during the update to UCS 5.0-0 (Bug 53228).

§6.6. System services

§6.6.1. SAML

  • Permissions to use a SAML service provider in UCS can be configured on a user object or at group objects for all members of the group. The check via the memberOf attribute for group membership was not done case insensitive (Bug 53432).

§6.6.2. Dovecot

  • Server password change now logs timestamps (Bug 54019).

§6.6.3. Postfix

  • The Univention Directory Listener module listfilter.py did not respect the Univention Configuration Registry variable mail/postfix/policy/listfilter/use_sasl_username=yes when it is executed with the option --test (Bug 46176).
  • Server password change now logs timestamps (Bug 54019).

§6.6.4. Nagios

  • The Nagios plugin check_univention_slapd_mdb_maxsize now takes the number of free pages into account for checking the size of the LDAP database (Bug 49291).

§6.6.5. RADIUS

  • Server password change now logs timestamps (Bug 54019).

§6.6.6. SSL

  • Timeout SSL certificate download after 10 minutes (Bug 53810).

§6.6.7. DHCP server

  • Server password change now logs timestamps (Bug 54019).

§6.7. Virtualization

§6.7.1. UCS Virtual Machine Manager (UVMM)

  • Iterating all virtual machines multi-threaded has been fixed (Bug 49297).
  • Disks using the new type volume are now handled (Bug 54630).

§6.8. Services for Windows

§6.8.1. Samba

  • The UCR module for samba share restrictions did not quote the spaces inside share names like the samba listener does (Bug 53799).
  • Added username map script for use when samba is configured as domain member (Bug 54014).
  • access to home shares via NTLM authentication on member servers has been fixed (Bug 54320).
  • During a server password change the Samba process was not restarted in some cases. The script to restart Samba was fixed to ensure the service is restarted successfully (Bug 51535).
  • Server password change now logs timestamps (Bug 54019).
  • Access to home shares via NTLM authentication on member servers has been fixed (Bug 54320).
  • Add username map script for use when samba is configured as domain member (Bug 54014).
  • LDB source code has been adjusted to support new samba security patches (Bug 54014).

§6.8.2. Univention S4 Connector

  • The user expiry was off by one day between UCS and Samba. This discrepancy has been removed (Bug 54433).
  • Server password change now logs timestamps (Bug 54019).

§6.8.3. Univention Active Directory Connection

  • Invalid values in the LDAP attribute sambaNTPassword are now ignored instead of triggering a traceback (Bug 49590).
  • The Nagios check for univention-ad-connector reported a false positive if multiple Univention AD connector instances were running (Bug 51869).
  • The value for resynchronization of rejected changes from AD was fixed to use the documented default of 10 retries instead of 0, if the Univention Configuration Registry variable connector/ad/max_retry_rejected is not set (Bug 54432).
  • UCS rejects are resynchronized only a certain amount of times. This is configurable via a new Univention Configuration Registry variable connector/ad/max_retry_rejected, which defaults to 10 tries (Bug 49867).

§6.9. Other changes

  • Fix verification error with alternate chains. Addresses issue with Let's Encrypt certificates starting 2021-10-01 (Bug 53863).
  • A SAML service provider configuration can now contain an array of attributes in the option case_insensitive_attributes when using an authorize:Authorize filter. These attributes will be compared case insensitive (Bug 53432).
  • ucs_registerLDAPExtension from the UCS shell function library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53362).
  • The package python3-stdlib-extensions has been moved to maintained (Bug 54406).
  • A new Univention Configuration Registry variable ldap/translog-ignore-temporary has been created to control if UDM temporary objects should be considered for replication by the OpenLDAP translog overlay which feeds the Listener/Notifier. This reduces the number of replication transactions during creation of users and groups significantly. As a result it increases the replication performance and reduces the rate at which the LMDB backend database cn=translog gets filled. This variable is applicable only to the Primary Directory Node. By default is will be set to yes during package installation and update (Bug 54446).
  • The file /etc/machine.secret.SAVE is no longer readable by everyone (Bug 49033).
  • On the Primary Directory Node the LDAP server module refint can now be enabled by setting the Univention Configuration Registry variable ldap/refint=true. It enforces referential integrity for the attribute uniqueMember. For updates the module will not be enabled by default (Bug 48956).
  • The group membership cache now returns an empty list instead of None when requesting non-existing keys. This fixes a traceback in the Microsoft 365 Connector listener, when not every ADConnectionAlias has at least one user (Bug 54561).
  • Fix the upgrade path for the group membership cache to work all time from the initial update to UCS 5.0-0 up to installing the latest erratum (Bug 54206).
  • The cache now supports caches with a reverse mapping (Bug 54119).
  • The package was added to provide a very fast user and group membership cache (Bug 54068).