Changelog for Univention Corporate Server (UCS) 5.0-3#

General#

  • All Python source code is now indented with 4 spaces instead of tabulators (Bug #55642).

  • The server password change script has been improved to track and log the execution, allowing a better understanding of failed operations (Bug #54273).

  • The package univention-keycloak has been added as a dependency to the univention-server-common package. It contains a CLI tool used by the Univention Keycloak app (Bug #55383).

  • The package univention-support-info is now by default installed on every system role (Bug #55485).

  • The scripts server_password_change/univention-admin-diary has been updated to generate more useful debug information (Bug #54273).

  • Instead of an exception now a clear error message is displayed in case the admin diary front end is installed on a different system than the admin diary server and the database connection is not correctly configured (Bug #49016).

  • Reading records from database is optimized to use less RAM and CPU (Bug #51902).

  • Some source code has been refactored regarding binding of loop variables to function calls (Bug #55598).

  • A UMC operation set was added, which allows users without admin privileges, to use the user templates (Bug #37927).

  • Join scripts now handle errors when the registration of a service fails (Bug #53092).

  • The following updated packages from Debian 10.13 are included: base-files, bzip2, clamav, debootstrap, distro-info-data, libnet-ssleay-perl, postfix, postgresql-11, postgresql-common, shim, shim-helpers-amd64-signed, tzdata, adminer, asterisk, awstats, barbican, batik, bcel, blender, booth, cacti, cargo-mozilla, cgal, cinder, clickhouse, commons-daemon, composer, connman, debian-installer, debian-installer-netboot-images, debian-security-support, djangorestframework, dlt-daemon, dojo, dpdk, dropbear, e17, epiphany-browser, esorex, evemu, exiv2, exuberant-ctags, feature-check, ffmpeg, fig2dev, foxtrotgps, freecad, frr, ftgl, g810-led, gdal, gerbv, gif2apng, git, glance, gnucash, golang-github-docker-go-connections, golang-github-pkg-term, golang-github-russellhaering-goxmldsig, graphicsmagick, gst-plugins-good1.0, hsqldb, htmldoc, http-parser, inetutils, ini4j, iptables-netflow, isync, jackson-databind, jersey1, jetty9, jhead, joblib, jqueryui, jtreg6, jupyter-core, kannel, kicad, knot-resolver, lava, lemonldap-ng, leptonlib, libapache-session-browseable-perl, libapache-session-ldap-perl, libapache2-mod-auth-openidc, libapreq2, libbluray, libcommons-net-java, libdatetime-timezone-perl, libetpan, libgoogle-gson-java, libhtml-stripscripts-perl, libhttp-cookiejar-perl, libhttp-daemon-perl, libitext5-java, libjettison-java, libmodbus, libnet-freedb-perl, libpgjava, libraw, librose-db-object-perl, libstb, libvirt-php, libvncserver, libxstream-java, libzen, lighttpd, linux-5.10, linux-signed-5.10-amd64, llvm-toolchain-13, mat2, maven-shared-utils, mbedtls, mediawiki, minidlna, modsecurity-apache, modsecurity-crs, mplayer, mutt, ndpi, netty, nginx, node-cached-path-relative, node-ejs, node-end-of-stream, node-eventsource, node-fetch, node-hawk, node-json-schema, node-loader-utils, node-log4js, node-minimatch, node-minimist, node-moment, node-node-forge, node-object-path, node-qs, node-require-from-string, node-tar, node-thenify, node-trim-newlines, node-xmldom, nodejs, nova, nvidia-graphics-drivers, nvidia-graphics-drivers-legacy-390xx, octavia, open-vm-tools, openexr, openjdk-11, openvswitch, orca, pacemaker, pcs, pglogical, php-guzzlehttp-psr7, php-horde-mime-viewer, php-horde-turba, php-phpseclib, phpseclib, pngcheck, postsrsd, powerline-gitstatus, procmail, publicsuffix, puma, pysha3, python-django, python-keystoneauth1, python-oslo.utils, python-scciclient, python-scrapy, python-udatetime, qtbase-opensource-src, rails, request-tracker4, rexical, ruby-activeldap, ruby-git, ruby-hiredis, ruby-http-parser.rb, ruby-nokogiri, ruby-rack, ruby-rails-html-sanitizer, ruby-riddle, ruby-sinatra, ruby-tzinfo, rust-cbindgen, rustc-mozilla, schroot, sctk, smarty3, snakeyaml, snapd, sofia-sip, spip, strongswan, swift, sysstat, thunderbird, tinyxml, tmux, tomcat9, tor, trafficserver, twig, twisted, ublock-origin, unrar-nonfree, varnish, viewvc, virglrenderer, vlc, webkit2gtk, wireshark, wkhtmltopdf, wordpress

  • The following packages have been moved to the maintained repository of UCS:

Univention Configuration Registry#

  • Add validation for values of UCR variables. By default only a warning is printed if an invalid value is set. By setting the UCR variable ucr/check/type to yes type checking can be enforced, which will prevent invalid values to be set (Bug #54495).

  • A new variable type url_http was added in order to support validation of HTTP/HTTPS URL strings (Bug #55044).

  • Fixed printing wrong UCR layer name (Bug #55174).

  • The UCR type checking is now displaying more specific information regarding the type constraints (Bug #55573).

Changes to templates and modules#

  • Several UCR variable type annotations have been fixed. Most importantly UCRV proxy/http and proxy/https are now checked for validity as specifying a URL with a path, query or fragment will break several programs (Bug #54495).

Listener/Notifier domain replication#

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • The API for writing Listener modules has been simplified and the module name is now automatically derived from the file name of the module, which removes the requirement to explicitly specify the module name via the module variable name.

DNS server#

  • The script server_password_change.d/univention-bind has been updated to generate more useful debug information (Bug #54273).

Univention Management Console web interface#

  • The UDM command line client now writes error messages and warnings to standard error (Bug #4498).

  • The OpenAPI schema of the UDM REST API has been improved: Nested properties are now described more detailed while they previously were only described as free form objects. Data de-duplication has been made by referencing global data instead of including them. All possible HTTP errors are listed in the responses. Experimental features like pagination during search have been added as deprecated so that they can be used more easily in the future when UCS supports them. Various parameters are now created via code introspection (Bug #55096).

  • The URI template for nested search queries was invalid and has been adjusted (Bug #55115).

  • The script server_password_change.d/univention-directory-manager-rest has been updated to generate more useful debug information (Bug #54273).

  • The performance of the UDM REST API has been improved: A duplicated LDAP search has been eliminated for GET, PATCH and DELETE operations on an object (Bug #55430).

  • The LDAP connections for read and write operations have been separated and are now individually configurable via the UCR variables directory/manager/rest/ldap-connection/.*/.* (Bug #54623).

  • The UDM REST API responses now respect the requested language so that e.g. error messages are correctly translated (Bug #55224).

  • For request tracing a unique ID has been added to each request via the HTTP header X-Request-Id which is accepted as request header (or if not given uniquely created) and returned in the response headers (Bug #55186).

  • The translation of error messages in the UDM REST API has been corrected (Bug #55446).

  • The error response format has been improved (while being backwards compatible). It is now described in the OpenAPI schema (Bug #50249).

  • A client can now request all CSS themes. This makes it possible to base themes on another theme. This is required for univention-app-appliance (Bug #55107).

  • The checkboxes in grids are now rendered in the correct state while scrolling (Bug #54451).

  • Cookie banners have been improved for mobile devices. The accept button is now permanently visible for easier use (Bug #55378).

  • The services univention-management-console-server and univention-management-console-web-server have been migrated to systemd (Bug #53885).

Univention Portal#

  • Some convenient code for Python 2 compatibility has been removed (Bug #55063).

  • Cookie banners have been improved for mobile devices. The accept button is now permanently visible for easier use (Bug #55378).

  • Tiles in portal were not displayed correctly due to a bug while loading user’s group membership (Bug #54497).

  • The script portal-server-password-rotate has been updated to generate more useful debug information (Bug #54273).

  • The password hash comparison in UMCAndSecretAuthenticator has been fixed (Bug #55010).

Univention Management Console server#

  • SAML Logouts using the SAML binding HTTP-POST is now supported. This is required for the use of UMC with e.g. Keycloak as an identity provider (Bug #55229).

  • The SAML identity cache has been changed to an in-memory cache. This can be changed to the file system database by setting the UCR variable umc/saml/in-memory-identity-cache to false. This is done automatically for servers with enabled multiprocessing (Bug #55424).

  • The error handling of the pysaml2 usage has been improved (Bug #55248).

  • Exception stack traces are logged again when umc/http/show_tracebacks is set to False (Bug #55423).

  • A Keycloak SAML client for the local UMC is created during the join of a new server if the Keycloak App is installed in the domain (Bug #55395).

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #55570).

  • The library functions to get cached LDAP connections has been enhanced (Bug #54623).

Univention App Center#

  • Fixed an internal function for parsing the app argument in the CLI univention-app (Bug #55020).

  • Apps can now be pinned. A pinned app will no longer be upgraded or removed. They need to be unpinned first. univention-app pin $appid [--revert] (Bug #55467).

  • The listener converter script is now a long running process, reducing the CPU load that was caused by its constant restart (Bug #52000).

  • In case of a signature verification error, the App Center now shows the GPG error message (Bug #54123).

  • The listener converter script is now by default writing the UDM REST API representation into the JSON files (Bug #54773).

  • Debian packages that contain non UTF-8 byte sequences do not crash the Provider Portal anymore when creating new versions of apps (Bug #55634).

Univention Directory Manager and command line interface#

  • The syntax classes UDM_Objects, ldapDn, ldapDnOrNone now accept all valid LDAP DN characters as input (Bug #55563).

  • It is now possible to create extended attributes for LDAP operational attributes (Bug #20235).

  • The primaryGroup of users/user was unexpectedly reset to the default primary group when the primary group could not be read in LDAP. This was the case when the LDAP replication was not yet done or when the user had no permission to read it. The behavior is now postponed to actual modifications of the object (Bug #42080).

  • The Python backend code to evaluate and apply template defaults has been optimized (Bug #55279).

  • The OpenAPI schema of the UDM REST API has been improved (Bug #55096).

  • The error format of the UDM REST API now contains property information about email address validation failures (Bug #55394).

  • A missing call to the super method open() has been added in the nagios/service UDM module so that it is available in the UDM REST API again (Bug #54064).

  • The syntax emailAddress (and its children) are now checked against the external library python-email-validator by default. This can be disabled with the new UCRV directory/manager/mail-address/extra-validation (Bug #55413).

  • The policies/umc module now also applied to computer objects as the UMC- Server evaluated them also for those (Bug #54568).

  • The employeeNumber attribute has been removed from the default filter for user objects. As the attribute is not part of the equality and presence index it caused performance problems in larger environments when searching for users in the Univention Management Console (Bug #55412).

  • The Simple UDM API provides policies references as mapping in version 3 to conform with the UDM REST API responses (Bug #50167).

  • The translation of error messages in the UDM REST API has been corrected (Bug #55446).

  • Changes for the UDM REST API required adjustments for the users/self UDM module (Bug #55430).

  • univention.admin.uldap.access() now supports LDAP URIs to connect to (Bug #54623).

  • The global uniqueness of mailAlternativeAdress with mailPrimaryAddress is now configurable via the UCR variable directory/manager/mail-address/uniqueness (Bug #54596).

  • The performance and ability to debug the UDM command line client has been improved (Bug #33224).

  • The UDM command line client now writes error messages and warnings to standard error (Bug #4498).

  • A regression in UCS 5.0 for LDAP presence filters (attribute=*) has been fixed. UDM modules which rewrite filters can now reliably test for LDAP presence filters (Bug #55037).

  • UDM now can store NT hashes in the attribute pwhistory. Until now it used the attribute sambaPasswordHistory, which only stores salted hashes of hashes, which doesn’t allow synchronization to Samba/AD. UDM now doesn’t care about the attribute sambaPasswordHistory any longer (Bug #52230).

  • The UDM modules users/user and groups/group now offer two additional UDM properties univentionObjectIdentifier and univentionSourceIAM. univentionObjectIdentifier will be used by some apps to track the object identity regardless of the source of the object (e.g. either entryUUID or objectGUID) and in a way that is independent of implementation of the IAM backend (e.g. OpenLDAP or Active Directory, Bug #55154).

  • A regression introduced by Bug #54883 has been fixed which caused that objects user/ldap could not be fetched via the UDM REST API (Bug #55189).

  • The property pwdChangeNextLogin of objects users/user was not correctly unmapped in case it was not set. This caused the UDM REST API to wrongly represent it as None instead of False (Bug #55226).

  • The property groups of UDM objects users/user are now resolved via the memberOf attribute instead of a manual search for group memberships to increase performance. Using the group memberships via memberOf adds all groups to the user which he is assigned to, even if the reading user cannot read the specific groups of if the memberships are no objects groups/group. As there might be code which relies on this behavior and don’t do proper error handling when iterating over group memberships the new UCR variable directory/manager/user/group-memberships-via-memberof can be used to restore the old behavior. The variable is going to be removed in UCS 5.1 (Bug #55269).

  • The UDM object users/ldap and various computer UDM object types have been extended to provide PKI user certificate properties (Bug #54987).

  • The UDM property country can now be mapped to the LDAP attribute c instead of st. This new behavior can be enabled using the diagnostic module or /usr/share/univention-directory-manager-tools/udm-remap-country-from-st-to-c (Bug #50073).

Modules for system settings / setup wizard#

  • The selection and search for countries and cities during the initial system setup has been repaired. It was broken since the Python 3 migration (Bug #55156).

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • Joining into the domain is now also possible for users containing a zero in their usernames (Bug #45058).

Domain join module#

  • Rebuilt for libldb2 version 2.5.2 (Bug #54994).

  • A server with multiple MAC addresses is now able to join correctly again (Bug #54967).

License module#

  • The front-end univention-system-activation is now compatible with the new Portal framework introduced with UCS 5.0 (Bug #55107).

System diagnostic module#

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • A new diagnostic routine was added to check and optionally to reestablish the correctness of the repository configuration. The following checks are performed:

    1. It is checked, if there are deprecated variables still defined. In this case by pressing the ADJUST ALL COMPONENTS button the merge process which is also done in the repository setting module is executed by the diagnostic routine including the deletion of the deprecated variables.

    2. It is checked if there are UCR variables repository/online/server or repository/online/component/*/server having a scheme other than http or https. This can only be corrected manually using either the repository settings module or the UCR module to directly modify the variables. This second check can be disabled by defining an UCR variable diagnostic/check/65_check_repository_config/ignore to any non-empty value (Bug #55044).

  • It is now possible to disable any diagnostic check by setting the UCR variable diagnostic/check/disable/TEST_NAME to true (Bug #55468).

  • An error regarding compatibility with Python 3 has been repaired in the action migrate objects of 56_univention_types (Bug #55548).

  • A new UMC diagnostics module has been added to check UCR variable values for validity. As the type annotation of several UCR variables is currently wrong, types int and bool are ignored for now and will be fixed by future updates (Bug #54495).

  • The checks 40_samba_tool_dbcheck and 63_proof_uniqueMembers no longer crash due to duplicate decoding of strings during problem resolving (Bug #54988).

  • The diagnostics checks for SAML Identifier and Service Providers has been fixed to work again. It now provides more information in case of errors and provides automatic fixers to correct issues (Bug #49417).

  • The diagnostics check for the Univention Directory Notifier Protocol version has been extended to provide more information in case of errors and provides an automatic fixer to update the protocol version (Bug #49417).

Univention Configuration Registry module#

  • In the UCR module of the management console the following deprecated variables are hidden and therefore no longer displayed (Bug #55044):

    • repository/online/prefix

    • repository/online/port

    • repository/online/component/*/prefix

    • repository/online/component/*/port

    • repository/online/component/*/username

    • repository/online/component/*/password

    • repository/online/component/*/unmaintained

  • The UCR module now displays errors regarding the type constraints (Bug #55573).

Other modules#

  • The translation of error messages in the UDM REST API has been corrected (Bug #55446).

  • A typo in the name of the UMC Operation Set udm-policies has been adjusted (Bug #55460).

  • LDAP syntax classes with addEmptyValue or appendEmptyValue caused an error when opening e.g. the users/user module (Bug #54981).

Univention base libraries#

  • univention.lib.i18n now provides a method to set the language of all already instantiated Translation instances (Bug #55224).

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • LDAP search requests now evaluate the response of server controls (Bug #49666).

Software deployment#

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • The description of the UCR variables repository/online/* which is displayed by using the command ucr info was updated to document which variables are defined as deprecated and should no longer be used (Bug #55044).

  • The types of the UCR variables repository/online/* and repository/online/component/* ending with server or port have been updated to UCR type url_http and respectively portnumer in order to allow a better type checking (Bug #55044).

  • Updating a local repository server failed when additional components hosted on a separate server like service.software-univention.de were enabled: Calling univention-repository-update net failed with a ConfigurationError pointing to a wrong URL on updates.software-univention.de instead (Bug #55069).

PostgreSQL#

  • The script univention-postgresql-password has been updated to generate more useful debug information (Bug #54273).

Docker#

  • The docker daemon will now be restarted after changing proxy settings (Bug #51033).

SAML#

  • Creation of certificate for Keycloak App on UCS Primary Directory Node (Bug #55331).

  • The unmapping of the LDAP attribute simplesamlLDAPattributes in the UDM module saml/serviceprovider now always unmaps the value in the new mappable format to support a representation in the UDM REST API (Bug #55348).

  • Add debug trace to the joinscript 91univention-saml.inst to improve error reporting (Bug #44669).

Univention self service#

  • The subject of all self-service emails is now configurable via the UCR variables umc/self-service/account-deregistration/email/subject, umc/self-service/account-verification/email/subject, and umc/self-service/email-change-notification/email/subject (Bug #55028).

  • The email subject of the self-service password reset email is now configurable via the UCR variable umc/self-service/passwordreset/email/subject (Bug #53227).

  • It is no longer possible to enumerate Usernames using the password reset response (Bug #55346).

Mail services#

  • Several UCR variable type annotations have been fixed. Most importantly UCRV clamav/proxy/http is now checked for validity as specifying a URL with a path, query or fragment will break ClamAV (Bug #54495).

  • An unnecessary LDAP ACL for the LDAP root DN has been removed, which caused a warning by slapschema (Bug #55159).

Dovecot#

  • The template file /etc/pam.d/dovecot has been converted to multifile to support extending the configuration. For example, OX requires the PAM configuration to be extensible to add functional account support (Bug #55510).

Postfix#

  • The script server_password_change.d/50univention-mail-server has been updated to generate more useful debug information (Bug #54273).

  • The filter checking access to restricted mailing lists now accepts emails sent by users authenticating with their email address, when the system is configured to not use Dovecot SASL (Bug #55514).

Printing services#

  • After adding or removing printers UCS tells Samba to reload the configuration. In Samba 4.16 there is a new service samba-bgqd, which required adjusting the way that the listener cups-printers.py initiates the reload to make Samba recognize the changes immediately (Bug #55264).

  • When removing printer share definitions from Samba also remove the corresponding entries from the Samba registry and the TDB cache file (Bug #55492).

Nagios#

  • The arguments for calling nmblookup have been fixed. The flag -R has been changed to --recursion in prior Samba releases. This repairs the Nagios check UNIVENTION_NMBD (Bug #54919).

Proxy services#

  • The script squid-pw-rotate has been updated to generate more useful debug information (Bug #54273).

  • Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts 97univention-s4-connector, 98univention-samba4-dn and 98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791, Bug #55218).

SSL#

  • Browsers check the certificate using the Subject Alternative Names (SAN). They are verified in order, which stops on first match. Order the SANs by length to prioritize the most specific values first (Bug #54697).

  • Fix cron daily task execution: change shell from sh to bash (Bug #55030).

DHCP server#

  • The script server_password_change.d/univention-dhcp has been updated to generate more useful debug information (Bug #54273).

Other services#

  • A new script univention-report-support-info has been added which has the capability to download the latest USI script as well as uploading the collected archive to Univention and sending an email to the Univention support (Bug #26684).

Samba#

  • The script univention-samba4-site-tool.py attempted to parse the option -A (for providing an authentication file), which is now already handled by the samba package in UCS. This has been fixed (Bug #55082).

  • The script command:s4search-decode can now be used to decode the attribute ntPwdHistory (Bug #52230).

  • Grant permission SePrintOperatorPrivilege to user Administrator and group Printer-Admins by default (Bug #54156).

  • Rotate additional log files log.dcerpcd and log.rpcd_* (Bug #55435).

  • Added a dependency on a specific package samba-dsdb-modules version to prevent issues with new package installations (Bug #54994).

  • Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts 97univention-s4-connector, 98univention-samba4-dn and 98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791, Bug #55218).

  • Renaming a share works again. This was broken in UCS 5.0-0 due to an error in the listener module writing the share configuration (Bug #55077).

  • The script server_password_change.d/univention-samba has been updated to generate more useful debug information (Bug #54273).

  • The UCR template for the Samba logrotate configuration has been fixed (Bug #55591).

  • Rotate additional log files log.dcerpcd and file:log.rpcd_* (Bug #55435).

  • A segmentation fault in rpcd_spoolss has been fixed. Adding printer drivers is possible again (Bug #55048).

Univention S4 Connector#

  • The password history synchronization now works when the policy pwdhistory_length is not defined (Bug #55232).

  • Joining UCS@School replica servers into environments with many objects could fail due to timeouts in the join scripts 97univention-s4-connector, 98univention-samba4-dn and 98univention-squid-samba4. The synchronization of existing objects delayed the synchronization of new objects which are created during the join and necessary for its completion. The S4-Connector and the join scripts have been modified to sync these vital objects first, which speeds up the join process considerably (Bug #54791).

  • The script server_password_change.d/univention-s4-connector has been updated to generate more useful debug information (Bug #54273).

  • The function group_members_sync_to_ucs() used a UCS DN to search in Samba, which usually doesn’t cause issues, as long as the group object is located in the same position (Bug #55131).

  • The connector now synchronizes the password history between Samba and UCS (Bug #52230).

Univention Active Directory Connection#

  • The password history synchronization now works when the policy pwdhistory_length is not defined (Bug #55232).

  • The mapping now evaluates UCR variables with respect to the configbasename. Therefore it is now possible again to create additional AD connector instances via prepare-new-instance, which was broken since UCS 5.0-0 (Bug #54780).

  • The function group_members_sync_to_ucs() used the UCS DN to search in AD, this regression introduced in UCS 5.0-0 has been fixed (Bug #55087).

  • The connector now synchronizes the password history between AD and UCS (Bug #52230).

  • When the password in Microsoft AD was reset for a user account with the flag user must change password at next logon active, the AD-Connector did not synchronize the password hashes to UCS in case the UCR variable connector/ad/mapping/attributes/irrelevant was set to the default value. This UCR variable lists a number of attributes that should be ignored for performance reasons, like e.g. changes to the AD attribute lastLogon. The AD flag user must change password at next logon is mapped to the Univention Directory Manager property pwdChangeNextLogin. The behavior of the AD- Connector has been adjusted to always synchronize the post_attributes listed in mapping.py in this case. Please note that environments running an AD-Connector also run Samba/AD should check that UCR variable connector/ad/mapping/user/password/kerberos/enabled is activated. If that’s not activated, only the NT hash is synchronized from AD to UDM and then the S4-Connector only synchronizes the NT-Hash, leaving the previous Kerberos hashes in supplementalCredentials untouched, thus not conforming to the desired password reset when Kerberos is used in the UCS Samba/AD domain: Non- Kerberos logons would use the new NT-hashes, but Kerberos authentication would still use the previous password hashes (Bug #52192).

  • When objects were changed in Microsoft Active Directory, the AD-Connector checked if the object should be ignored. The decision is based on three criteria, match_filter, ignoresubtree and the ignorelist from which the ignore_filter is constructed. Since Bug #37351 has been fixed in UCS UCS 4.0 erratum 131 this check is not only applied to the new object, but also to the object existing in UDM, which represents the old state at the time of sync. In scenarios where an object is present in UDM and Microsoft Active Directory but matches the ignore_filter this had the negative side effect, that the AD object would still be ignored even if the administrator changed an attribute in a way that the new object did not match the ignore_filter any longer. This affected user objects. This problem has been fixed by restricting the change for Bug #37351 to apply only to objects matching the criteria of a windowscomputer, as these don’t have an ignore_filter (Bug #55150).

  • univention-adsearch did not properly work in multi-connector setups (Bug #54781).

Other changes#

  • The login page and tab name of the Keycloak Single-Sign On page have been modified to match those of the simpleSAMLphp login page (Bug #55478).

  • Users can now login with their mailPrimaryAddress as well as their username at Keycloak (Bug #55458).

  • The script univention-keycloak didn’t evaluate the app setting keycloak/server/sso/fqdn. Due to this, the joinscript of the Keycloak app failed if this setting is set (Bug #55569).

  • Many options of the script univention-keycloak can now be passed on the command line. univention-config-registry is not required anymore, but only gives sane defaults (Bug #55513).

  • A traceback in univention-keycloak was thrown when trying to enable the two factor authentication. This has been fixed (Bug #55519).

  • A new flag --umc-uid-mapper has been added to the command line tool univention-keycloak. This makes it easier to create SAML service-provider for the UMC (Bug #55431).

  • The univention-keycloak package has been added. This package contains a CLI tool that is used by the Univention Keycloak app (Bug #55383).

  • StartTLS is now used as default for LDAP federation in Keycloak (Bug #55488).

  • The flag --metadata-file has been added to univention-keycloak. This is necessary to create a UMC SAML client during the join since the metadata information cannot be fetched via https during the join (Bug #55570).

  • The ownership, group and permissions of LDAP backups are now configurable via the UCR variables slapd/backup/owner, slapd/backup/group and slapd/backup/permissions (Bug #54782).

  • The UCR variable description for the variable ldap/database/type has been updated and now describes deprecated and recommended values (Bug #54821).

  • Create initial fake schema in unjoined Backup/Replica servers too to avoid invalid slapd configurations that may break upgrades (Bug #54465).

  • Allow Directory Node Backup and Replica servers to do an unlimited LDAP search, which is required for join in large domains with more than 400k entries (Bug #34877).

  • Change code to emit UCRV ldap/translog-ignore-temporary only when LDAP overlay module translog is enabled (Bug #55558).

  • Calls to several OpenLDAP tools (slaptest etc.) fail when the cn=config LDIF exists in the file-system. The package has been adjusted to explicitly use the configuration file instead to avoid this problem (Bug #54986).

  • The object class univentionObject now offers two additional optional attributes univentionObjectIdentifier and univentionSourceIAM. univentionObjectIdentifier will be used by some apps to track the object identity regardless of the source of the object (e.g. either entryUUID or objectGUID) and in a way that is independent of implementation of the IAM backend (e.g. OpenLDAP or Active Directory, Bug #55154).

  • An additional ACL access directive for the machine account provides faster access to DNS zone objects (Bug #54140).

  • On UCS Replica Directory Nodes the OpenLDAP ppolicy overlay was not allowed to lock user accounts. The server ACLs have been adjusted to allow this (Bug #55501).

  • The Debian package python-email-validator has been back ported and updated to be used in univention-directory-manager-modules (Bug #55413).

  • An open file descriptor leak has been fixed, which was triggered by gdbm_reorganize(). This affected univention-group-membership-cache taking up a huge amount of disk space until the Directory Listener was restarted (Bug #55286).

  • The script execution is now restricted to valid system roles. A missing metric has been added to the alert UNIVENTION_ADCONNECTOR_METRIC_MISSING. A leftover Nagios reference has been removed in in check_univention_nfsstatus (Bug #54968).

  • Removing alerts from computer objects has been fixed (Bug #54985).

  • LDAP ACL’s allowing DCs and member servers to change alerts have been added. The alert descriptions have been improved. The authentication when trying to reload Prometheus alerts has been fixed. Query expressions now use templates and restrict the metrics to the assigned hostnames (Bug #54947).

  • The alert expressions for checking the SSL validity and the swap usage have been repaired. The join status check has been split into two checks. An error in check_univention_samba_drs_failures has been fixed (Bug #54919).

  • When prometheus-node-exporter was not installed error mails by cron were sent due to a missing directory (Bug #54927).

  • The check script check_univention_ntp now handles errors when the NTP service is not reachable. The translation of the UDM module has been fixed. The property templateValues is now exposed by the UDM module (Bug #55017).

  • It is now possible to disable the UDM UMC module monitoring/alert with specific UMC ACL’s (Bug #55341).

  • Fixed ldapsearch call in check_univention_joinstatus. Wrong parameters created periodically high load on slapd (Bug #55068).

  • The scripts univention-nscd and univention-libnss-ldap have been updated to generate more useful debug information (Bug #54273).

  • The error handling of the directory logger has been improved. Especially in regards to corrupted files created by the overlay module dellog (Bug #51772).

  • The generated Listener module code has been updated to follow the API for Listener modules set with UCS 5.0-2, which deprecated the method ListenerModuleConfiguration.get_configuration() (Bug #54502).

  • Tiles in portal were not displayed correctly due to a bug while loading user’s group membership (Bug #54497).

  • Improved performance of the function users_groups() which is used in univention-portal (Bug #55120).

  • Python 3 compatibility for the SSS (Server Side Search control) has been added (Bug #49666).

  • Code to handle old package updates has been removed from many packages (Bug #42330).

  • Add missing features from the OX Fetchmail implementation to univention-fetchmail. Now users can have more than one Fetchmail configuration and use multi-drop configurations. (Bug #55575).