UCS 5.0-9 Changelog

Download PDF

Changelog for Univention Corporate Server (UCS) 5.0-9

Changelog for Univention Corporate Server (UCS) 5.0-9#

General#

  • UCS 5.0-9 includes the following updated packages from Debian ELTS:

    dns-root-data shim-signed atril composer dcmtk dlt-daemon dnsmasq edk2 freexian-archive-keyring frr gunicorn indent libmojolicious-perl libndp libtommath netty org-mode pdns-recursor plasma-workspace putty python-aiosmtpd python-django roundcube sendmail suricata thunderbird tryton-client tryton-server uw-imap

  • The following packages have been moved to the maintained repository of UCS:

    linux-5.10 linux-signed-5.10-amd64

Domain services#

  • The meta-package univention-role-server-common now installs linux- image-5.10-amd64 instead of linux-image-amd64. After the update a reboot is recommended to load the new kernel version (Bug #57427).

LDAP Directory Manager#

  • In case a UDM property syntax has been overridden through UCR, but the specified value doesn’t correspond to any defined syntax, UDM logged a traceback. This has now been replaced by a proper log message explaining the origin of the problem (Bug #57484).

  • A traceback that was thrown when running univention-sync-memberuid has been fixed. The script now also supports limiting operation to certain groups, or excluding certain groups (Bug #57439).

  • The LDAP attribute shadowExpire was calculated in a way which resulted in users expiring one day later than expected in certain timezones. This has been corrected (Bug #46349).

  • The UDM module settings/directory provides the default container setting for other UDM modules. It’s now possible to extend settings/directory with an extended attribute to define default containers for custom UDM modules. The name of the settings/directory property that defines the default container for your module, can be defined by the variable default_containers_attribute_name in the module (Bug #57526).

  • When the IP address is set when creating a new computer object, the DNS entries for this object weren’t set correctly since erratum 738. The DNS entries will now be created correctly again (Bug #56313).

  • When searching for objects through UDM, it was possible to create a faulty state, when an object included in the result was deleted before the operation was finished. Those deleted objects are now skipped (Bug #53333).

Univention Management Console#

Univention Portal#

  • All browser tabs where the user is logged into the Portal will now automatically refresh when a logout is detected. This feature is enabled by default and can be toggled with the Univention Configuration Registry Variable portal/reload-tabs-on-logout (Bug #57467).

  • The login button in the Portal’s sidebar can now be configured to perform OIDC authentication by setting the UCR variable portal/auth-mode to the value oidc (Bug #57534).

  • The default for portal/reload-tabs-on-logout has been changed to false (Bug #57562).

Univention Management Console server#

  • Ensure that /usr/share/univention-management-console/oidc/oidc.json has file permission 600 (Bug #57505).

  • A new endpoint has been added to the UMC, supporting the refresh of all browser tabs with the Portal open when a user logs out (Bug #57467).

  • Added oidc-id-token hint to UMC logout to disable Keycloak’s logout confirmation dialog (Bug #57475).

  • Add a configurable SQL storage for UMC sessions. This now makes OIDC back-channel logout possible if the UMC is run in multiprocessing mode (Bug #57482).

  • Fix a bug where it was impossible to change passwords through the UMC due to the UMC server not closing file descriptors properly (Bug #57194).

  • Don’t show the OpenID Connect permission consent screen when the UMC is the relying party (Bug #57506).

  • Better support for Portal/UMC OIDC setup with FQDN different from internal UCS name (Bug #57483).

Univention App Center#

  • univention-app configure can now be called with --set being specified multiple times (Bug #57546).

  • The App Center now executes the joinscript and the configure scripts during upgrade in the same order as during the initial installation (Bug #57544).

Domain join module#

  • A bug has been fixed that could cause the domain join to fail if the /etc/univention/ssl directory was too big (Bug #57421).

User management#

  • When a password policy is used together with the self-registration feature it was possible that invitation emails weren’t sent when users are created. This was fixed by adjusting the self-service listener module filter (Bug #57226).

System diagnostic module#

  • The diagnostics module to check for local LDAP schema files and register them as an LDAP extension has been fixed and now actually passes the right argument to the internal function (Bug #57279).

  • A diagnostic module now checks for the correct file permissions of the SQLite database of both the S4 Connector and the AD-Connector (Bug #57453).

  • The package screen has been added to the recommendations as it’s a vital part of Univention support. The package has been cut since 5.0-6 while optimizing installation size, but is now re-added. The package should be automatically installed with this update (Bug #57406).

Univention base libraries#

  • An ACL has been added that restricts access to the new UMC settings object (Bug #57482).

  • A typo in evaluation of the UCR variable backup/clean/min_backups caused that the specified limit wasn’t considered but instead the default value of 10 was applied. This has been fixed (Bug #56736).

Software deployment#

  • The script univention-prune-kernels has been adjusted to the new kernel version linux-5.10 (Bug #57427).

System services#

SAML#

  • Prevent the creation of two mappers in the default Univention Management Console Keycloak SAML client which caused SAML logins to fail (Bug #57420).

  • In univention-keycloak, fix the option --no-frontchannel-logout when dealing with OIDC Relying parties. It used to activate the front-channel logout, not deactivate it as it was supposed to do (and now does, Bug #57518).

  • The univention-keycloak CLI was fixed, so that you can use --set multiple times in the domain-config sub command, as documented (Bug #57375).

  • There was an error where a provided XML file during service provider creation overwrote the options passed on the CLI. This resulted in some of the migration guide example creations not working anymore (Bug #57320).

  • univention-keycloak had to be adapted to Keycloak version 25 to correctly create the configuration for the legacy authorization (Bug #57452).

Printing services#

  • CUPS now uses the UCS TLS certificate instead of a self-signed certificate (Bug #52879).

Services for Windows#

Univention S4 Connector#

  • SQLite databases used by the S4 Connector were world readable. This has been changed (Bug #57453).

  • The S4 Connector used to skip synchronizing a move operation, if the moved object was already present in its DN cache. This could result in the unwanted deletion of objects during a sub-tree rename (Bug #57510).

Univention Active Directory Connection#

  • The AD Connector used to skip synchronizing a move operation, if the moved object was already present in its DN cache. This could result in the unwanted deletion of objects during a sub-tree rename (Bug #57510).

  • The connector can now be configured to only synchronize objects from specific sub-trees through the newly added UCR variables connector/ad/mapping/allowsubtree/.*/ucs and connector/ad/mapping/allowsubtree/.*/ad. .* is an arbitrary string, the value for the ucs variable is a sub-tree LDAP DN in the UCS directory and the value for the ad variable is a sub-tree LDAP DN of the AD directory. Both must include the LDAP base of the respective directory. If configured only objects from these sub-trees are synchronized, everything else is ignored (Bug #57394).

  • The connector can now be configured to only synchronize objects that match a specific LDAP filter. For each object type in user, group, container, ou and windowscomputer the UCR variable connector/ad/mapping/{type}/allowfilter can be used to configure this LDAP filter (Bug #57442).

  • The connector can now be configured to ignore certain objects that match a specific LDAP filter. For each object type in user, group, container, ou and windowscomputer the UCR variable connector/ad/mapping/{type}/ignorefilter can be used to configure this LDAP filter (Bug #57465).

  • SQLite databases used by the AD Connector were world readable in certain cases. This has been changed (Bug #57453).

  • The dn argument of resync_object_from_ad.py was set as not required (Bug #57504).

On this page