Publication date 2022-06-30
Table of Contents
With Univention Corporate Server 5.0-2, the second point release for Univention Corporate Server (UCS) 5.0 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
The User Self Service was integrated into the UCS portal. Furthermore, the support for additional placeholders was extended among others, such as firstname and lastname in the email template for password reset.
For RADIUS, users can assign a so-called service specific password. And administrators can assign dedicated VLANs to user groups to increase network security.
SameSite Cookies can now be configured for UMC and SAML.
The AD Takeover has been made more robust.
Numerous performance improvements have been implemented regarding DNS, LDAP and during the sign in to UMC.
The French translation for the UCS management system was updated.
The UMC system diagnostics has been extended: Several new checks have been added and some older have been improved.
Most packages have been migrated to Python 3. Their Python 2 counterparts are no longer installed by default and will be removed.
This Univention Corporate Server release is based on Debian 10.12 Buster.
Various security updates have been integrated into UCS 5.0-2, for example for Samba4, OpenLDAP, OpenSSL, and the Linux kernel.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult the [ucs-performance-guide].
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.
UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.
Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0 is not supported.
The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.
At the following help article further hints to this topic are collected: https://help.univention.com/t/17768
This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.
univention-join.
To upgrade a system in the domain to UCS 5, the server should first be upgraded to the latest package level available for UCS 4.x.
Then the repository server used by the system is switched to the local UCS 5 repository by changing the Univention Configuration Registry variable repository/online/server.
The system can now be upgraded to UCS 5 via the Univention Management Console or via the command line.
Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the [developer-reference] for advice.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools tmux, screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-2{.gpg,}
# verify and run script
apt-key verify pre-update-checks-5.0-2{.gpg,} &&
bash pre-update-checks-5.0-2
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 85
Firefox as of version 78
Safari and Safari Mobile as of version 13
Microsoft Edge as of version 88
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 5.0-1:
All security updates issued for UCS 5.0-1 are included:
The following updated packages from Debian 10.12 are included (Bug 54866): aide, apache-log4j1.2, apache-log4j2, atftp, base-files, beads, btrbk, cargo-mozilla, chrony, cimg, condor, debian-edu-config, debian-installer-netboot-images, debian-installer, detox, djvulibre, ecdsautils, evolution-data-server, exo, faad2, ffmpeg, firejail, gerbv, glibc, graphicsmagick, h2database, htmldoc, http-parser, icu, ipython, jtharness, jtreg, lemonldap-ng, leptonlib, libdatetime-timezone-perl, libencode-perl, libetpan, libextractor, libjackson-json-java, libmodbus, libphp-adodb, librecad, libsdl1.2, lighttpd, llvm-toolchain-11, lrzip, lxcfs, mailman, mediawiki, modsecurity-apache, needrestart, node-getobject, openjdk-11, openscad, opensc, php-illuminate-database, phpliteadmin, plib, privoxy, prosody, publicsuffix, python-bottle, python-virtualenv, raptor2, redis, ros-ros-comm, roundcube, ruby2.5, ruby-httpclient, rust-cbindgen, rustc-mozilla, smarty3, snapd, sogo, sphinxsearch, spip, strongswan, subversion, thunderbird, trafficserver, tryton-proteus, tryton-server, tzdata, uriparser, usbview, varnish, vlc, waitress, wavpack, webkit2gtk, weechat, wireshark, wordpress, zsh, zziplib
The following packages have been moved to the maintained repository of UCS: python-jose (Bug 54666), python-keycloak (Bug 54689), univention-support-info (Bug 53358)
open(O_EXCL) now returns EEXIST instead of EISDIR (Bug 54476).
get_int(), that can be used to avoid receiving a string, when an integer is required.
If the value of the requested Univention Configuration Registry variable is not a number, the default value is returned verbatim instead (Bug 20933).
ppolicy overlay module uses embedded Python.
This has been migrated to Python 3 (Bug 54582).
translog overlay was modified to skip grandchildren of the cn=temporary,cn=univention container.
This new behavior can be controlled by the Univention Configuration Registry variable ldap/translog-ignore-temporary.
This reduces the number of replication transactions during creation of users and groups significantly.
As a result it increases the replication performance and reduces the rate at which the cn=translog LMDB backend database gets filled.
This variable is applicable only to the Primary Directory Node.
The package univention-ldap-server activates this variable by default (Bug 48626).
univention-translog import --min TID had no effect (Bug 54794).
dns/timeout-start is now also considered in the systemd unit univention-bind-ldap.
This can be used in cases where a large number of DNS zones slows down the start of the DNS server bind.
This only affects systems which have dns/backend set to ldap. i.e. systems that are not configured as Samba/AD DC.
After changing the variable, running systemctl daemon-reload once is required (Bug 54108).
- in their name (Bug 54063).
entryUUID and dn of newly created objects are now included in the response (Bug 54347).
directory/manager/rest/processes.
Further details can be found in the performance guide (Bug 50050).
apache2/force_https, so that the portal tiles in the UMC are shown even if https is forced (Bug 53296).
DNSanitizer has been added to the Python module variable __all__ to prevent warnings for developers (Bug 52445).
umc/http/cookie/samesite (Bug 54484).
tmpfs that are created for a docker app to be defined in the apps ini file (Bug 54562).
directory/manager/web/widget/.* has been removed. This can now be achieved via syntax classes directly (Bug 54840).
jpegPhoto was broken since UCS 5.0-0 and has been repaired (Bug 54769).
users/user (Bug 54467).
users/user objects (Bug 54150).
users/ldap objects is possible again.
This was broken due to the Python 3 migration in UCS 5.0 (Bug 54085).
groups/group (Bug 54402).
Domain Join the progress bar will now display the name of the currently running script instead of the last script that was finished (Bug 33255).
ldbsearch as command line arguments.
To reduce the attack surface it now uses a file instead (Bug 53100).
univention_samaccountname_ldap_check attempted to create an object of type computers/windows for it which always failed because the account name was already taken by the computers/domaincontroller_backup object (Bug 54768).
univention-directory-reports now offers two new options:
The option --output-dir allows specification of the output directory and --output-name allows to specify the file name of the report (Bug 54153).
52_mail_acl_sync will no longer fail if multiple IMAP mail folders exist (Bug 54675).
univention-run-diagnostic-check now displays links in the description of failed tests (Bug 50756).
ldap/debug/level correctly (Bug 49354).
notifier/protocol/version (Bug 54264).
univention-run-diagnostic-checks now offers to run a group of tests and also to exclude some of the tests (Bug 53969).
univention-run-diagnostic-check is now executed with machine account credentials by default (Bug 54515).
slapschema error message has been improved in 62_check_slapschema (Bug 54681).
LDAP_Search (Bug 54190).
directory/manager/web/modules/users/user/wizard/property/ invite/default will now work properly and can be used to activate the option in the user wizard by default (Bug 54316).
UCSVersion not includes the erroneous input parameter is included in the error message for debugging (Bug 49061).
generate_password that can generate random passwords.
The new function password_config can be used to get parameters for that from UCR (Bug 54555).
OPT_X_TLS_NEWCTX will be necessary for future UCS versions (Bug 54408).
univention-upgrade --updateto is parsed earlier and exits on wrong parameter (Bug 49061).
apt-get --force-yes option is deprecated and has been replaced with --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages (Bug 48891).
univention-upgrade will now work correctly (Bug 53666).
postgres11/autostart=no by accident (Bug 54255).
saml/idp/session-cookie/secure, saml/idp/session-cookie/samesite, saml/idp/language-cookie/secure and saml/idp/language-cookie/samesite (Bug 54483).
/usr/share/univention-mail-postfix/listfilter.py has been repaired (Bug 54560).
ucr set apache2/ssl/tlsv13=true (Bug 54306).
freeradius/vlan-id has been added to set a VLAN ID even if the user is no member of any such group (Bug 25916).
radius/use-service-specific-passwords. has been added:
If enabled, the authentication is done against a RADIUS specific password, not the domain password of the user (Bug 54409).
kerberos/defaults/ticket-lifetime (Bug 52987).
log.smbd filled with a message because a Windows 10 client attempted to access user files, which is denied by the NTACLs.
While the origin of that behavior is still unknown, no negative side effects are known.
To avoid overflowing the log file, we adjusted the log message to only start appearing at the debug level 2.
Default log level is 1 (Bug 52979).
samba-tool now supports passing credentials using the option --authentication-file and the machine password using the option --machinepass-file (Bug 53101).
ldbsearch as command line arguments.
To reduce the attack surface it now uses a file instead (Bug 53100).
kerberos/defaults/ticket-lifetime (Bug 52987).
samba-tool now supports passing machine password using the option --machinepass-file (Bug 53101).
samba-tool now supports passing credentials using the options -A|--authentication-file (Bug 53101).
systemctl command was not found under the path specified in the Python code (Bug 54238).
--help messages (Bug 54588).
rsync in doc/univention-ssh.8 (Bug 54588).
univention-scp --help and univention-rsync message to specify that the --no-split option must be set before the password file parameter (Bug 54588).
slapd.conf.d/65admingrp-user-passwordreset introduced by UCS 5.0-2 erratum 308 (Bug 54790).
ldap/acl/user/passwordreset/.* have a lot of values (Bug 54744).
ldap/translog-ignore-temporary has been created to control if UDM temporary objects should be considered for replication by the OpenLDAP translog overlay which feeds the Listener/Notifier.
This reduces the number of replication transactions during creation of users and groups significantly.
As a result it increases the replication performance and reduces the rate at which the cn=translog LMDB backend database gets filled.
This variable is applicable only to the Primary Directory Node.
By default is will be set to yes during package installation and update (Bug 48626).
[ucs-performance-guide] Univention GmbH. 2021. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.
[developer-reference] Univention GmbH. 2021. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.