UCS 5.0-10 Changelog

Download PDF

Changelog for Univention Corporate Server (UCS) 5.0-10

Changelog for Univention Corporate Server (UCS) 5.0-10#

General#

  • UCS 5.0-10 includes the following updated packages from Debian ELTS:

    emacs krb5 libtasn1-6 libxml2 xorg-server ca-certificates-java distro-info-data ruby2.5 tzdata ucf activemq ark asterisk astropy c-icap-modules context cyrus-imapd dcmtk dnsmasq editorconfig-core fastnetmon frr git-lfs gst-plugins-base1.0 gstreamer1.0 havp icinga2 iperf3 lemonldap-ng libapache-mod-jk libcpan-reporter-smoker-perl libgsf libmodule-scandeps-perl libpam-tacplus libpgjava libreoffice libtar linux-6.1 linux-signed-6.1-amd64 mpg123 needrestart nodejs pg-snakeoil pypy python-clamav qtbase-opensource-src redis smarty3 sssd sympa texlive-bin tomcat9 twisted vlc waitress wireshark zeromq3

Basic system services#

Univention Configuration Registry#

Changes to templates and modules#

  • The Linux kernel parameters for the garbage collection of ARP cache entries can now be set with UCR and have their default values increased (Bug #57712).

Boot Loader#

  • To support Secure Boot in Debian 10 (Buster) ELTS, the SecureBoot shim needs to be updated to include the Freexian public certificate which was used to sign the ELTS Linux kernel and other packages. This update adds that certificate to the shim alongside the Debian public CA, which allows to boot both old (signed by Debian) and new (signed by Freexian) packages (Bug #57718).

Domain services#

LDAP Directory Manager#

  • Improve performance of _ldap_modlist() in groups/group handler to speed up modifications of very large groups (Bug #57960).

  • Enforce JPEG conversion for all profile pictures not just PNG (Bug #57672).

  • The univention-license-check didn’t count system accounts correctly in case of an unlimited license. This has been fixed (Bug #57713).

  • Dynamic udm_filter for UDM syntax classes have been fixed so that a syntax which depends on the value of another property for its udm_filter works again (Bug #57733).

Univention Management Console#

Univention Portal#

  • Unique HTML identifiers have been added to each self-service module to simplify custom CSS usage (Bug #57731).

Univention Management Console server#

  • As Keycloak’s OpenID Connect URIs are checked case sensitively, the default URIs set during the join script setup were rejected on servers which contained uppercase letters. All generated URIs are converted to lowercase from now on (Bug #57679).

  • Improved database session management under high load to prevent errors. Sessions are now properly closed, ensuring better stability in high concurrency environments (Bug #57680).

  • The OpenID Connect front-channel logout feature now works properly in environments where the OpenID Connect Provider is hosted on a different domain than the UMC (Bug #57516).

  • Make connection pool settings pool_size, max_overflow, pool_timeout, and pool_recycle configurable through univention-management-console-settings for improved resource management (Bug #57714).

  • Delete UMC session when OpenID Connect token can’t be refreshed after OP session deleted (Bug #57515).

  • A package dependency to the Python library psycopg2 has been added (Bug #57622).

  • The automatic browser reload of the univention-portal led to a visual logout every 5 minutes, since the initial assertion was expired then (Bug #57563).

Univention App Center#

  • univention-app update-check didn’t report all missing apps during a UCS upgrade. Some docker apps may be missed due to working on the wrong cache. This has been fixed (Bug #57802).

  • univention-appcenter now provides UCR templates for PostgreSQL 15 (Bug #57802).

  • Files uploaded as an App Setting were saved with the wrong content if uploaded during app installation (Bug #57996).

User management#

  • The Message-ID header has been added to emails sent through the user self service to prevent rejection by certain email providers (Bug #57953).

  • The UMC module is now a singleton, that means that multiple requests won’t create new instances of the module, but will be handled by one single module process. This can greatly increase performance and decrease memory consumption (Bug #57609).

Univention Directory Reports#

  • Fixed the handling of UDM properties with complex syntax, for example dnsEntryZoneForward, that prevented users from using them in customized report templates (Bug #57431).

System diagnostic module#

  • The diagnostic check 04_saml_certificate_check could show a traceback if UMC wasn’t configured for any kind of single sign-on. This has been fixed (Bug #57746).

  • The script univention-report-support-info now keeps the generated archive per default. The option --cleanup has been added to the script, to overrule this new behavior (Bug #57641).

LDAP directory browser#

  • When using OpenID Connect login the Univention Management Console Univention Directory Manager Module sometimes wouldn’t load when the LDAP server was restarted (Bug #57533).

Univention base libraries#

  • OpenLDAP is now configured to use the sortvals option for the attributes uniqueMember and memberUid. This improves the performance when modifying user objects or group objects in environments with groups with several thousand members. The attributes for the sortvals option can be configured via the UCR variable Univention Configuration Registry Variable ldap/server/sortvals (Bug #52175).

Software deployment#

  • After a system update through the Software Update UMC module, the user now stays in the module to view the system status instead of being redirected to the UMC overview page (Bug #57838).

  • Don’t provide the option to update to a new UCS release if some Docker apps aren’t yet released for that release (Bug #57802).

System services#

SAML#

  • Fixed the link to the 5.2 changelog in univention-keycloak-migration-status (Bug #57975).

  • The tool univention-keycloak was enabled to update an existing authentication flow so that it replaces the Kerberos authentication step with a conditional sub-flow which can enable Kerberos authentication depending on the client IP address (Bug #56474).

  • The script univention-keycloak-migration-status has been adjusted to check the setting ucs/server/sso/uri, which will be used from UCS 5.2 onward (Bug #57806).

  • Skip 91univention-saml.inst in case the primary is on UCS 5.2. In this case simpleSAMLphp is no longer supported and the steps in 91univention-saml.inst aren’t needed (Bug #57839).

Proxy services#

  • You can now manually configure the squid cache settings. Any value other than ufs in the UCR variable squid/cache/format disables the cache configuration in squid.conf. A custom squid cache configuration can be added to /etc/squid/local.conf (Bug #57963).

Services for Windows#

Samba#

  • Since updating from Kernel 4.19 to Kernel 5.10 the behavior of the xfs file system seems to have changed with respect to the handling of xattrs. As a symptom, rsync -aAX as used by the script sysvol-sync.sh seems to remove trusted.SGI_ACL_FILE and trusted.SGI_ACL_DEFAULT when synchronizing from the SYSVOL from a system with an ext4 partition, which doesn’t have those, but only the usual system.posix_acl_access and system.posix_acl_default. The script sysvol-sync.sh has been adjusted to filter the synchronized xattrs to only consider security.NTACL and not touch any other xattrs (Bug #57529).

  • The join script has been adjusted to stop winbindd first during provisioning. This should avoid unnecessary waiting time when stopping the other samba processes in the next step (Bug #57310).

  • In environments where the Active Directory Domain Controller app has been configured to use mdb as backend key value store for the sam.ldb database, the command samba-tool domain backup offline could run into a deadlock in case parallel changes to the sam.ldb where made, for example through dynamic DNS updates. That command is used by the script univention-samba4-backup. This was caused by an interplay of three components, the script samba-tool, the command mdb_copy and the process attempting to modify the sam.ldb. This update avoids this issue by reverting upstream changes made for Samba bug 14676 which where introduced there in anticipation of lmdb version 0.9.26, which UCS 5.0 doesn’t use (Bug #57734).

  • The init script /etc/init.d/samba-ad-dc has been adjusted to explicitly stop winbindd and smbd processes too and also check for pids in their respective process group. This can be necessary during package updates, in case the winbind.postinst and samba.postinst scripts start these processes separately instead of as child of the main samba process. This should avoid /etc/init.d/samba restart` failing with error message NT_STATUS_ADDRESS_ALREADY_ASSOCIATED in log.samba (Bug #57310).

Univention Active Directory Connection#

  • Rejects in the connector for objects in AD that can’t be completely read are now properly deleted (Bug #57737).

  • Starting with UCS 5.0-0 the AD Connector had an issue with rewriting mixed case AD DNs in the presence of a custom position_mapping. This problem has been fixed, so that mixed case DNs from AD are mapped properly to UCS LDAP DNs again, avoiding unintelligible rejects (Bug #57565).

On this page