15. Miscellaneous#

15.1. Databases#

UCS ships with two major database management systems, which are used for UCS internal purposes, but can also be used for custom additions.

15.1.1. PostgreSQL#

UCS uses PostgreSQL by default for its package tracking database, which collects the state and versions of packages installed on all systems of the domain.

15.1.2. MariaDB#

By default the MariaDB root password is set to ___. Debian provides the dbconfig package, which can be used to create and modify additional databases from maintainer scripts.

15.2. UCS lint#

Use ucslint to find packaging issues.

For each issue one or more lines are printed. The first line per issue always contains several fields separated by ::

severity:module-id-test-id[:filename[:line-number[:column-number]]]:message

For some issues extra context data is printed on the following lines, which are indented with space characters. All other lines start with a letter specifying the severity:

E

Error: Missing data, conflicting information, real bugs.

W

Warning: Possible bug, but might be okay in some situations.

I

Informational: found some issue, which needs further investigation.

S

Style: There might be some better less error prone way.

The severities are ordered by importance. By default ucslint only aborts on errors, but this can be overwritten using the --exitcode-categories argument followed by a subset of the characters EWIS.

After the severity an identifier follows, which uniquely identifies the module and the test. The module is given as four digits, which is followed by a dash and the number of the test in that module. Currently the following modules exist:

0001-CheckJoinScript

Checks join file issues

0002-CopyPasteErrors

Checks for copy & paste error from example files

0004-CheckUCR

Checks UCR info files

0006-CheckPostinst

Checks Debian maintainer scripts

0007-Changelog

Checks debian/changelog file for conformance with Univention rules

0008-Translations

Checks translation files for completeness and errors

0009-Python

Checks Python files for common errors

0010-Copyright

Checks for Univention copyright

0011-Control

Checks debian/control file for errors

0013-bashism

Checks files using /bin/sh for BASH constructs

0014-Depends

Checks files for missing runtime dependencies on UCS packages

0015-FuzzyNames

Checks for spelling of Univention

0016-Deprecated

Checks files for usage of deprecated functions

0017-Shell

Checks shell scripts for quoting errors

0018-Debian

Checks for Debian packaging issues

The module and test number may be optionally followed by a filename, line number in that file, and column number in that line, where the issue was found. After that a message is printed, which describes the issue in more detail.

Since ucslint is very Univention centric, many of its tests return false positives for software packages by other parties. Therefore, many tests need to be disables. For this the file debian/ucslint.overrides can be created with list of modules and test to be ignored. Without specifying the optional filename, line number and column number, the test is globally disabled for all files.

15.3. Function libraries#

The source package univention-lib provides the binary packages shell-univention-lib, python3-univention-lib and python-univention-lib, which contain common library functions usable in shell or Python programs.

15.3.1. shell-univention-lib#

This package (and several others) provides shell libraries in /usr/share/univention-lib/, which can be used in shell scripts.

/usr/share/univention-lib/admember.sh

This file contains some helpers to test for and to manage hosts in AD member mode.

/usr/share/univention-lib/backup.sh

This file contains code to remove old backup files from /var/univention-backup/.

/usr/share/univention-lib/base.sh

This file contains some helpers to create log files, handle unjoin scripts (see Writing unjoin scripts) or query the network configuration.

/usr/share/univention-lib/join.sh

This file is provided by the package univention-join. It is used by by Debian maintainer scripts to register and call join scripts. See join.sh for further details.

/usr/share/univention-lib/ldap.sh

This file contains some helpers to query data from LDAP, register and un-register service entries, LDAP schema and LDAP ACL extensions.

/usr/share/univention-lib/samba.sh

This file contains a helper to check is Samba4 is used.

/usr/share/univention-lib/ucr.sh

This file is provided by the package univention-config. It contains some helpers to handle boolean Univention Configuration Registry Variables and handle UCR files on package removal. See Using UCR from shell for further details.

/usr/share/univention-lib/umc.sh

This file contains some helpers to handle UMC (see Univention Management Console (UMC)) related tasks.

/usr/share/univention-lib/all.sh

This is a convenient library, which just includes all libraries mentioned above.

15.3.2. python-univention-lib#

This package provides several Python libraries located in the module univention.lib.

univention.lib.admember

This module contains functions to test for and to manage hosts in AD member mode.

univention.lib.atjobs

This module contains functions to handle at-jobs.

univention.lib.fstab

This module provides some functions for handling the file /etc/fstab.

univention.lib.i18n

This module provides some classes to handle texts and their translations.

univention.lib.ldap_extension

This module provides some helper functions internally used to register LDAP extension as described in join.sh.

univention.lib.listenerSharePath

This module provides some helper functions internally used by the Directory Listener module handling file shares.

univention.lib.locking

This module provides some functions to implement mutual exclusion using file objects as locking objects.

univention.lib.misc

This module provides miscellaneous functions to query the set of configured LDAP servers, localized domain user names, and other functions.

univention.lib.package_manager

This module provides some wrappers for dpkg and APT, which add functions for progress reporting.

univention.lib.s4

This module provides some well known SIDs and RIDs.

univention.lib.ucrLogrotate

This module provides some helper functions internally used for parsing the Univention Configuration Registry Variables related to logrotate.8.

univention.lib.ucs

This module provides the class UCS_Version to more easily handle UCS version strings.

univention.lib.umc

This module provides the class Client to handle connections to remote UMC servers.

univention.lib.umc_module

This module provides some functions for handling icons.

15.4. Login access control#

Access control to services can be configured for individual services by setting certain Univention Configuration Registry Variables. Setting auth/SERVICE/restrict to true enables access control for that service. This will include the file /etc/security/access-SERVICE.conf, which contains the list of allowed users and groups permitted to login to the service. Users and groups can be added to that file by setting auth/SERVICE/user/USER and auth/SERVICE/group/GROUP to true respectively.

15.5. Network packet filter#

Firewall rules are setup by univention-firewall and can be configured through Univention Configuration Registry or by providing additional UCR templates.

15.5.1. Filter rules by Univention Configuration Registry#

Besides predefined service definitions, Univention Firewall also allows the implementation of package filter rules through Univention Configuration Registry. These rules are included in /etc/security/packetfilter.d/ through a Univention Configuration Registry module.

Filter rules can be provided through packages or can be configured locally by the administrator. Local rules have a higher priority and overwrite rules provided by packages.

All Univention Configuration Registry settings for filter rules are entered in the following format:

Local filter rule

security/packetfilter/protocol/>port(s)address=policy

Package filter rule

security/packetfilter/package/package/protocol/port(s)/address=policy

The following values need to be filled in:

package (only for packaged rules)

The name of the package providing the rule.

protocol

Can be either tcp for server services using the Transmission Control Protocol or udp for services using the stateless User Datagram Protocol.

port; min-port}:max-port

Ports can be defined either as a single number between 1 and 65535 or as a range separated by a colon: min-port:max-port

address

This can be either ipv4 for all IPv4 addresses, ipv6 for all IPv6 addresses, all for both IPv4 and IPv6 addresses, or any explicitly specified IPv4 or IPv6 address.

policy

If a rule is registered as DROP, then packets to this port will be silently discarded; REJECT can be used to send back an ICMP message port unreachable instead. Using ACCEPT explicitly allows such packets. (IPtables rules are executed until one rule applies; thus, if a package is accepted by a rule which is discarded by a later rule, then the rule for discarding the package does not become valid).

Filter rules can optionally be described by setting additional Univention Configuration Registry Variables. For each rule and language, an additional variable suffixed by /language can be used to add a descriptive text.

Some examples:

Listing 15.1 Local firewall rules#
security/packetfilter/tcp/2000/all=DROP
security/packetfilter/tcp/2000/all/en=Drop all packets to TCP port 2000
security/packetfilter/udp/500:600/all=ACCEPT
security/packetfilter/udp/500:600/all/en=Accept UDP port 500 to 600

All package rules can be globally disabled by setting the Univention Configuration Registry Variable security/packetfilter/use_packages to false..

15.5.2. Local filter rules through iptables commands#

Besides the existing possibilities for settings through Univention Configuration Registry, there is also the possibility of integrating user-defined enhanced configurations in /etc/security/packetfilter.d/, for example for realizing a firewall or Network Address Translation. The enhancements should be realized in the form of shell scripts which execute the corresponding iptables for IPv4 and ip6table for IPv6 calls. For packages this is best done through using a Univention Configuration Registry template as described in File.

Full documentation for IPTables can be found at the netfilter/iptables project.

15.5.3. Testing Univention Firewall settings#

Package filter settings should always be thoroughly tested. The network scanner nmap, which is integrated in Univention Corporate Server as a standard feature, can be used for testing the status of individual ports.

Since nmap requires elevated privileges in the network stack, it should be started as root user. A TCP port can be tested with the following command: nmap HOSTNAME -p PORT(s)

A UDP port can be tested with the following command: nmap HOSTNAME -sU -p PORT(s)

Listing 15.2 Using nmap for firewall port testing#
$ nmap 192.0.2.100 -p 400
$ nmap 192.0.2.110 -sU -p 400-500

15.6. Active Directory Connection custom mappings#

For general overview about the Active Directory Connection app, see Active Directory Connection in Univention Corporate Server - Manual for users and administrators [2].

It is possible to modify and append custom mappings. Administrators need to create the file /etc/univention/connector/ad/localmapping.py. Within that file, they must implement the following function:

def mapping_hook(ad_mapping):
    return ad_mapping

The variable ad_mapping influences the mapping. The Active Directory Connection app logs the resulting mapping to /var/log/univention/connector-ad-mapping.log, when the administrator restarts Univention AD connector.