Changelog for Univention Corporate Server (UCS) 5.2-6

Changelog for Univention Corporate Server (UCS) 5.2-6#

General#

  • Univention Corporate Server 5.2-6 includes the following updated packages from Debian 12.14:

    • 7zip

    • arduino-core-avr

    • augeas

    • awstats

    • bash

    • base-files

    • c3p0

    • calibre

    • cdebootstrap

    • chkrootkit

    • chromium

    • chrony

    • composer

    • corosync

    • dar

    • debian-installer-netboot-images

    • debsig-verify

    • deets

    • distro-info-data

    • dnsmasq

    • docker.io

    • erlang

    • evince

    • exim4

    • ffmpeg

    • flatpak

    • fonttools

    • gimp

    • glance

    • gnuais

    • golang-github-containerd-stargz-snapshotter

    • golang-github-containers-buildah

    • golang-github-openshift-imagebuilder

    • gpsd

    • gsasl

    • gst-plugins-bad1.0

    • gst-plugins-base1.0

    • gst-plugins-ugly1.0

    • gvfs

    • jtreg7

    • kdenlive

    • kissfft

    • kpackage

    • lemonldap-ng

    • libpod

    • libreoffice

    • libreoffice-texmaths

    • libuev

    • libvncserver

    • libxml-security-java

    • libxslt

    • libyaml-syck-perl

    • lxc

    • lxd

    • mapserver

    • mediawiki

    • modsecurity-crs

    • mongo-c-driver

    • mupdf

    • nagios4

    • netty

    • nginx

    • ngtcp2

    • node-shell-quote

    • nodejs

    • opam

    • openvpn

    • p7zip

    • p7zip-rar

    • packagekit

    • php-dompdf

    • php-league-commonmark

    • php-phpseclib

    • php-phpseclib3

    • php-symfony-contracts

    • php-twig

    • php8.2

    • phpseclib

    • plastimatch

    • postorius

    • proftpd-dfsg

    • prosody

    • pymupdf

    • python-authlib

    • qemu

    • redis

    • request-tracker5

    • roundcube

    • ruby-rack

    • sash

    • simpleeval

    • sioyek

    • skeema

    • snapd

    • starlette

    • strongswan

    • supermin

    • swupdate

    • symfony

    • taglib

    • thunderbird

    • tor

    • tpm2-pkcs11

    • trafficserver

    • tripwire

    • tzdata

    • user-mode-linux

    • vips

    • webkit2gtk

    • wireless-regdb

    • wireshark

    • xdg-dbus-proxy

    • yelp

    • zsh

Basic system services#

Other system services#

  • The univentionObjectIdentifier is now set for all DNS, DHCP and license objects (Bug #58384).

  • The counts of licensed users, servers, and managed clients are now cached on the license object through a cron job. The cached numbers improve the performance during UMC startup (Bug #59060).

  • License initialization no longer resets the log level to ERROR. As a result, the UMC UDM modules keep their log messages (Bug #38735).

  • The GPG signing key for UCS 5.3 has been added to the univention-archive-key package (Bug #59471).

Domain services#

  • The univention-telemetry package has been added as a recommended dependency for univention-server (Bug #59235).

OpenLDAP#

Listener/Notifier domain replication#

  • The syntax of DNs is now validated in univention-replicate-one (Bug #33898).

LDAP Directory Manager#

  • The univentionObjectIdentifier is now set for all DNS, DHCP and license objects (Bug #58384).

  • A new extended attribute hook mechanism has been added, which runs before and after moving an object (Bug #59111).

  • The counts of licensed users, servers, and managed clients are now cached on the license object through a cron job. The cached numbers improve the performance during UMC startup. Additionally, the obsolete License Version 1, Free For Personal Use Edition, Univention Corporate Clients, GPL License, Desktop Virtualization Services has been removed from the license evaluation (Bug #59060).

  • Searching in UMC modules now returns correct results regardless of whether automatic substring search is turned on or off. Previously, when substring search was deactivated, the global search and the standard properties filter didn’t return results, due to a broken LDAP filter (Bug #59104).

  • The license interface has been extended to use the entryUUID of the license as fallback key ID (Bug #59176).

  • The hooks API has been extended to support map() and unmap() methods for extended attributes (Bug #59150).

  • The license cache is now also evaluated for unlimited licenses (Bug #59215).

  • The univentionObjectIdentifier and other technical information about LDAP operational attributes has been added to the advanced settings tab of all UDM modules (Bug #59217).

  • The unixTime UDM syntax is now compatible with UDM HTTP REST API (Bug #58211).

  • The users/contact UDM module now lets you set the cn property explicitly, so you can create objects deterministically. The UDM CLI now also displays the correct new DN after moving an object (Bug #59281).

  • The UDM HTTP REST API now returns HTTP 500 (Internal Server Error) instead of HTTP 400 (Bad Request) when concurrent modifications to the same LDAP object cause Type or value exists or No such attribute errors. This makes the error transparent to clients and allows them to retry the request (Bug #58804).

  • The UDM HTTP REST API now exposes a Prometheus-compatible metrics endpoint at /univention/udm/-/metrics. It provides the total number of active users, the licensed user limit, and platform/version information for UCS and Nubus for Kubernetes. All metrics include a domain label and a stable domain identifier derived from the license key. The endpoint is restricted to authorized users (Bug #59176).

  • The Nubus Prometheus metrics are now consistently prefixed with nubus_, ensuring clearer namespace separation and easier identification in monitoring and alerting configurations. The Nubus Prometheus metrics nubus_users_user_total and nubus_settings_license_users_limit_total now include the license key as a label, enabling per-license observability (Bug #59231).

  • A pre-calculated value for univentionObjectIdentifier is now hidden in the object template, as this might be used to create multiple objects (Bug #59217).

Univention Management Console#

Univention Management Console web interface#

  • A regression has been fixed, which was introduced by updating Dojo dgrid to version 1.3.3 in UCS 5.2 Erratum 304 and caused the “Select All” checkbox in list views and the tree view in the LDAP directory to malfunction (Bug #59095).

  • The DateTime widget has been fixed to support all and empty date formats and respect the configured size (Bug #59217).

Univention Management Console server#

  • A file descriptor leak caused during PAM authentication through SSS has been fixed (Bug #59220).

  • The UMC server no longer accepts smuggled HTTP request headers in X-UMC-Federated-Account and X-UMC-Roles. These headers handle interprocess communication between the UMC server and UMC module processes when delegative administration is enabled (Bug #59280).

Univention App Center#

  • The App Center now avoids allocating Docker Compose network subnets that overlap with host network interfaces, preventing potential routing conflicts (Bug #55073).

  • Links in app descriptions and license agreements now open in a new browser tab instead of loading inside the App Center iframe (Bug #57501).

Domain join module#

  • The version check in univention-join used string concatenation with awk numeric comparison, causing incorrect results for version numbers like 5.0-10 vs 5.0-9. The fix uses dpkg --compare-versions for correct Debian version ordering (Bug #58212).

System diagnostic module#

  • A new diagnostic check warns when the Docker bridge network overlaps with a host network interface, which can cause routing issues (Bug #55073).

LDAP directory browser#

  • The underlying library dependencies to handle certificates have been updated from M2Crypto and PyOpenSSL to python3-cryptography to ensure future compatibility and to fix a problem for certificate validity dates after 2050 (Bug #55411).

  • The univentionObjectIdentifier is now set for all DNS, DHCP and license objects (Bug #58384).

  • The counts of licensed users, servers, and managed clients are now cached on the license object through a cron job. The cached numbers improve the performance during UMC startup (Bug #59060).

  • UDM now lets you add a property to the layout even when its default value is a function call. All UDM modules now show univentionObjectIdentifier and other technical information about LDAP operational attributes on the Advanced settings tab (Bug #59217).

Univention base libraries#

  • The univentionObjectIdentifier is now set for all DNS, DHCP and license objects (Bug #58384).

  • The counts of licensed users, servers, and managed clients are now cached on the license object through a cron job. The cached numbers improve the performance during UMC startup (Bug #59060).

  • The crudeoauth library has been made compatible with modern compilers (Bug #59470).

  • The Nagios suidwrapper has been modernized to be compatible with modern compilers (Bug #59469).

Software deployment#

  • After a patchlevel update, UDM extensions are now automatically synchronized again to ensure that extensions with version constraints are correctly activated or deactivated for the new UCS version (Bug #59229).

System services#

SAML#

  • Fixed a regression introduced in Keycloak 26.6.0 where a change in the component lookup API broke the Kerberos configuration update in the univention-keycloak script (Bug #59212).

  • The package was rebuilt as part of an internal repository migration. This update contains no functional changes (Bug #59234).

Mail services#

  • The UDM hooks have been adjusted to be compatible with delegative administration (Bug #59150).

Postfix#

  • Postfix LDAP group lookups now support the mailAlternativeAddress attribute in addition to mailPrimaryAddress. This allows UDM groups to receive emails via alternative (alias) addresses (Bug #28692).

Services for Windows#

Samba#

  • Samba has been updated to version 4.24.2, including the latest security patches, so it’s equivalent to 4.24.3 (Bug #59336). For a full list of changes, see the upstream changelogs:

  • The Group Policy Management Console was crashing sometimes when modifying the user permissions in the Security tab. Afterwards, the new created ACLs were malformed, which made the policy inaccessible. The code which parses the binary structures sent by the Windows client has been corrected (Bug #59142).

  • An uninitialized file descriptor associated with hanging rpcd spoolss processes is now initialized (Bug #59160).

Univention AD Takeover#

  • The counts of licensed users, servers, and managed clients are now cached on the license object through a cron job. The cached numbers improve the performance during UMC startup (Bug #59060).

Univention S4 Connector#

  • The S4 Connector no longer treats stale entries in the connector database as deleted objects in Active Directory. It now verifies that the AD object has isDeleted=TRUE before attempting a restore. This change prevents unnecessary restore attempts and synchronization rejects (Bug #59113).

  • The S4-Connector now removes the attribute dNSTombstoned in Samba/AD if a change for the corresponding DNS object is synchronized from OpenLDAP/UDM (Bug #57174).

Univention Active Directory Connection#

  • The Active Directory Connection no longer treats stale entries in the connector database as deleted objects in Active Directory. It now verifies that the AD object has isDeleted=TRUE before attempting a restore. This change prevents unnecessary restore attempts and synchronization rejects (Bug #59113).

  • Documentation for the obsolete UCR variable connector/password/service/encoding. has been removed (Bug #59128).

  • The custom position mapping function of Active Directory Connection now applies to the object mentioned in the mapping as well (Bug #59200).

  • As Microsoft is continuing with the deprecation of NT-hashes, see https://go.microsoft.com/fwlink/?linkid=2344614, the Microsoft update KB5082063 changed the default value for DefaultDomainSupportedEncTypes to allow AES-SHA1 only, which blocks issuing Kerberos tickets with RC4 hashes. The AD-Connector now implements the advice by Microsoft to set msDS-SupportedEncryptionTypes on a per-account basis during the sync from UCS to Microsoft Active Directory, to allow the Microsoft KDC to make use of the synced NT-hash. As Microsoft doesn’t offer an RPC call to pass stronger Kerberos hashes, this workaround is currently necessary. When a password is changed on the Microsoft Active Directory side, Active Directory Connection removes this setting again, to keep security as high as possible (Bug #58876).

Other changes#

  • Password changes through PAM could fail in long-running processes, for example in UMC, with high file descriptor usage. Heimdal Kerberos previously relied on the select() API, which can’t handle file descriptor values ≥ FD_SETSIZE (1024). In such situations, Kerberos communication with the KDC could fail, leading to misleading errors such as Authentication token manipulation error. The implementation now uses poll(), eliminating this limitation and improving robustness in long-running services (Bug #59145).

  • The univention-telemetry package is added, which collects telemetry metrics from UDM HTTP REST API, anonymizes and transforms them to OTLP/JSON format and forwards them to Univention’s telemetry receiver. The feature is turned off by default (Bug #59235).

On this page