Changelog for Univention Corporate Server (UCS) 5.2-4

Changelog for Univention Corporate Server (UCS) 5.2-4#

General#

  • Univention Corporate Server 5.2-4 includes the following updated packages from Debian 12:

    docker.io aom b43-fwcutter base-files bash busybox ca-certificates criu distro-info-data e2fsprogs galera-4 gnupg2 init-system-helpers kexec-tools libbpf libtheora libxslt lintian multipath-tools postgresql-common qemu tini tzdata usb.ids wireless-regdb ark balboa botan catatonit cdebootstrap chkrootkit chromium cjson commons-beanutils commons-vfs corosync dar debian-edu-config debian-installer debian-installer-netboot-images debian-security-support dpdk dropbear erlang evolution firebird3.0 fort-validator gegl gimp golang-github-gin-contrib-cors gst-plugins-base1.0 gst-plugins-good1.0 haproxy insighttoolkit4 insighttoolkit5 iperf3 jetty9 jq keystone kmail-account-wizard krita kubernetes libcgi-simple-perl libfile-tail-perl libphp-adodb libraw libreoffice libsoup3 libtpms llvm-toolchain-19 luajit lxc lxd mailgraph mkchromecast mlt mono mosquitto nextcloud-desktop nginx nncp node-addon-api node-csstype node-form-data node-minipass node-nodeunit node-sha.js node-tar-fs node-tmp nvda2speechd pdfminer prody python-flask-cors python-internetarchive python-mitogen raptor2 rar redis request-tracker4 request-tracker5 ruby-rack rust-cbindgen-web rustc-web sash shaarli shibboleth-sp simplesamlphp snapd strongswan supermin swift thunderbird tripwire tryton-sao tryton-server tsocks waitress webkit2gtk webpy wolfssl xfce4-weather-plugin xrdp ydotool zsh

  • The following packages have been moved to the maintained repository of UCS:

    python-logfmter (Bug #58647)

Basic system services#

Univention Configuration Registry#

  • The function univention_config_is_true has been added (Bug #58644).

Domain services#

  • Events for recycle bin restoration have been added to the Admin Diary (Bug #52202).

OpenLDAP#

Listener/Notifier domain replication#

  • Structured Logging is now enabled by default. The Univention Configuration Registry Variable notifier/debug/level now allows the value 5 for enabling logging of TRACE log messages (Bug #58644, Bug #58653).

LDAP Directory Manager#

  • A recycle bin for users and groups has been introduced (Bug #52202).

  • Added an endpoint where LDAP attributes can be unmapped to a full UDM object, if the module can be identified (Bug #58792).

  • The argument --bindpwd has been deprecated in UDM command line. Instead, use the argument --bindpwdfile (Bug #20610).

  • All log messages of UDM HTTP REST API are now in a structured logging format by default. The Univention Configuration Registry Variable directory/manager/rest/debug/level now allows the value 5 to enable logging of TRACE log messages. The log messages and severity has been revised. Additional information like IP address, hostname, LDAP distinguished name of the requester have been added to the log information (Bug #58627).

  • Debug messages from Tornado are now in structured log format, as well. The duplicated access log messages for the gateway process have been removed (Bug #57568).

  • Added internal cache to increase performance on searches (Bug #58697).

  • The duration of authorization operations is now logged at TRACE level (Bug #58756).

  • The performance of searches with delegative administration enabled has been improved (Bug #58789).

  • All logging messages of Univention Directory Manager are now in a structured format, if that is enabled in the services. The Univention Configuration Registry Variable directory/manager/cmd/debug/level now allows the value 5 for enabling logging of TRACE log messages. The log messages and severity has been revised. Additional information like UDM object type and LDAP distinguished name has been added to the log information (Bug #58627).

  • Minor updates to the UDM policy format for delegative administration (Bug #58649).

  • The argument --bindpwd has been deprecated in UDM command line. Instead, use the argument --bindpwdfile (Bug #20610).

  • Added UDM type users/federated_account for representation of federated accounts for sign-in through trusted upstream identity provider with UMC OpenID Connect (Bug #58652).

  • A recycle bin for user and group objects has been introduced (Bug #52202).

  • Fixed an issue where modifying the value of a unique LDAP attribute didn’t correctly release the lock associated with the previous value. This prevented the creation of objects using that former value for up to five minutes (Bug #58828).

Univention Management Console#

Univention Management Console web interface#

  • A recycle bin for users and groups has been introduced (Bug #52202).

  • Allow adding a notification directly into the notification bar, not showing it as a preview in UMC (Bug #58817).

Univention Management Console server#

  • A short notification is shown for the Univention Summit 2026 when you open the UMC for the first time. After that, it’s discreetly sitting behind the bell icon (Bug #58817).

  • Fix an issue where the UMC server doesn’t respect the configured timeouts for HTTP requests, which can lead to delays in operations that involve communication with external services. It led particularly to failures on concurrent OpenID Connect (OIDC) authentication (Bug #58269).

  • The log messages of Univention Management Console have been adapted to be compatible with structured logging. Structured logging is now enabled by default. The Univention Configuration Registry Variables umc/server/debug/level and umc/module/debug/level now allow the value 5 for enabling logging of TRACE log messages. The log messages and severity has been revised. Additional information like request ID, IP address or LDAP DN of requester have been added to the log information (Bug #58627).

  • The session-info endpoint for the UMC now also returns the DN of the authenticated user (Bug #58743).

  • UMC OIDC now supports the sign-in with an account from an external identity provider in Keycloak. These “federated accounts” must provide additional information, like a UUID and guardian role strings, to be accepted and used in UMC. As UDM authorization for these accounts is based on the roles, this feature requires the UDM delegative administration (Bug #58652).

Univention App Center#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

  • The Univention App Center update process can now be configured for restrictive HTTP proxy environments. The Univention Configuration Registry Variable appcenter/update/skip-zsync allows skipping zsync and downloading metadata directly through HTTPS. The Univention Configuration Registry Variable appcenter/update/zsync-timeout defines a timeout for zsync operations before falling back to direct download (Bug #52308).

  • Apps can now set ListenerUDMVersion=3. This changes the way the App Center creates JSON files for their listener integration. It no longer uses the object’s entryUUID, but the UniventionObjectIdentifier (Bug #58648).

Modules for system settings / setup wizard#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

  • The argument --bindpwd has been deprecated in UDM command line. Instead, use the argument --bindpwdfile. The internals of this package have been adapted accordingly (Bug #20610).

Domain join module#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

User management#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

System diagnostic module#

  • Fix the UMC module’s CSS to be specific and to not affect the appearance of the whole of UMC (Bug #58553).

  • The diagnostic modules 20_check_share_references and 20_check_srv_records, as well as, 24_portal_entries have been added. The Univention Configuration Registry Variable diagnostic/check/24_portal_entries/ignore can be used to specify entry names that don’t conform to the check criteria. The module 20_check_nameservers now contains improved warning messages and a fix for a traceback (Bug #58634).

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

LDAP directory browser#

  • A recycle bin for users and groups has been introduced (Bug #52202).

  • Logging has been adapted to be compatible with structured logging (Bug #58627).

  • Performance improvements during user searches (Bug #58697).

  • Use session roles for UDM delegative administration for UMC OIDC login with federated account (Bug #58652).

Univention base libraries#

  • Adjustments for python-logfmter v0.0.11 have been done (Bug #58754).

  • A method to log the duration of certain operations has been added (Bug #58756).

  • The logging format of univention.debug has been made configurable to allow a structured format with ISO 8601 dates. The German date format is going to be removed in a future releases. A new logging level TRACE, equal to the logging value 5, has been added to univention.debug. The library univention.logging now allows setting up structured logging using the logfmt format by configuring a univention.debug logging handler for the Python standard library logging system (Bug #58627).

  • Added LDAP schema, ACLs for federated account object type, the Univention Configuration Registry Variables ldap/authz-regexp/users with the default value true, and ldap/authz-regexp/federated-accounts with the default false for the configuration of the LDAP servers DN mapping for federated accounts (Bug #58652).

  • A recycle bin for users and groups has been introduced (Bug #52202).

  • univention-backup2master now provides two hook points that allow running custom scripts before and after the conversion from a UCS Backup Directory Node to a UCS Primary Directory Node (Bug #58778).

  • The duration of LDAP operations is now logged at TRACE level (Bug #58756).

  • Logging has been adapted to be compatible with structured logging (Bug #58627).

Software deployment#

  • Logging has been adapted to be compatible with structured logging. The Univention Configuration Registry Variable update/debug/level allows the value 5 for enabling logging of TRACE log messages (Bug #58644).

System services#

SAML#

  • Add --import-users parameter to univention-keycloak init (Bug #58698).

  • The scope operation has been added to univention-keycloak script. The operation allows the creation of client scopes, and assign mappers to the scope (Bug #58422).

  • Added support for enabling standard token exchange on OIDC clients (Bug #58586).

  • Fixed a regression that breaks the univention-keycloak script in Kubernetes deployments (Bug #58588).

Mail services#

IMAP services#

  • During sign-in, it could happen that additional email directories in Dovecot containing only the username were created. This made it appear to the user as though their email folders were emptied. The PAM login configuration for Dovecot has been adjusted to circumvent this behavior (Bug #57976).

Postfix#

  • During sign-in, it could happen that additional email directories in Dovecot containing only the username were created. This made it appear to the user as though their mail folders were emptied. The PAM login configuration for Dovecot has been adjusted to circumvent this behavior (Bug #57976).

Nagios#

  • This update enhances the alert check_univention_mdb_maxsize by ignoring the possibly fragmented freelist pages in the calculation of available pages (Bug #58668).

  • This update enhances the check check_univention_slapd_mdb_maxsize by ignoring the possibly fragmented freelist pages in the calculation of available pages (Bug #58668).

RADIUS#

  • The EAP module configuration setting tls_min_version can now be adjusted using the added Univention Configuration Registry Variable freeradius/conf/tls-min-version (Bug #58373).

  • The EAP module configuration setting cipher_list can now be adjusted using the added Univention Configuration Registry Variable freeradius/conf/cipher-list. The format is documented in openssl-ciphers(1ssl) (Bug #58374).

PAM / Local group cache#

  • The SSSD service has been configured to allow logins using the mailPrimaryAddress of a user during PAM login (Bug #57976).

Networking services#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

Services for Windows#

Univention AD Takeover#

  • Logging has been adapted to be compatible with structured logging (Bug #58644).

Univention S4 Connector#

  • Structured Logging is enabled by default. The Univention Configuration Registry Variables connector/debug/level and connector/debug/udm/level now allow the value 5 for enabling logging of TRACE log messages (Bug #58644, Bug #58653).

  • The behavior of account locked status synchronization has been unified between S4-Connector and AD Connector (Bug #58680).

Univention Active Directory Connection#

  • Changing the sAMAccountName of a user in AD led to a Python traceback in the AD Connector because the post modify functions would still use the re- rename DN. This could also cause additional issues when later changing the CN of the object. This update fixes these issues (Bug #58738).

  • The AD Connector now synchronizes the account lockout state from AD to UCS. Account unlocking is also synchronized from UCS to AD (Bug #58680).

  • An error where the LDAP distinguished name (DN) of a synced object multiple times leading to a DN with mixed base was created leading to rejects was fixed (Bug #58556).

  • Logging in the UMC module has been adapted to be compatible with structured logging. The Univention Configuration Registry Variables connector.*/debug/level now allows the value 5 for enabling logging of TRACE log messages (Bug #58644).

Univention PXE installation#

  • The UCS PXE Installation services provided by the package univention-net-installer were deprecated and need to be removed before upgrading to UCS 5.2-4.

Other changes#

  • Minor updates to the UDM policy format for delegative administration (Bug #58649).

  • Update python-logfmter to v0.0.11 (Bug #58754).

On this page