15. Miscellaneous#
15.1. Databases#
UCS ships with two major database management systems, which are used for UCS internal purposes, but can also be used for custom additions.
15.1.1. PostgreSQL#
UCS uses PostgreSQL by default for its package tracking database, which collects the state and versions of packages installed on all systems of the domain.
15.1.2. MariaDB#
By default the MariaDB root password is set to ___
. Debian provides the
dbconfig package, which can be used to create and modify additional
databases from maintainer scripts.
15.2. UCS lint#
Use ucslint to find packaging issues.
For each issue one or more lines are printed. The first line per issue always
contains several fields separated by :
:
severity:module-id-test-id[:filename[:line-number[:column-number]]]:message
For some issues extra context data is printed on the following lines, which are indented with space characters. All other lines start with a letter specifying the severity:
E
Error: Missing data, conflicting information, real bugs.
W
Warning: Possible bug, but might be okay in some situations.
I
Informational: found some issue, which needs further investigation.
S
Style: There might be some better less error prone way.
The severities are ordered by importance. By default ucslint only
aborts on errors, but this can be overwritten using the
--exitcode-categories
argument followed by a subset of the characters
EWIS
.
After the severity an identifier follows, which uniquely identifies the module and the test. The module is given as four digits, which is followed by a dash and the number of the test in that module. Currently the following modules exist:
0001-CheckJoinScript
Checks join file issues
0002-CopyPasteErrors
Checks for copy & paste error from example files
0004-CheckUCR
Checks UCR info files
0006-CheckPostinst
Checks Debian maintainer scripts
0007-Changelog
Checks
debian/changelog
file for conformance with Univention rules0008-Translations
Checks translation files for completeness and errors
0009-Python
Checks Python files for common errors
0010-Copyright
Checks for Univention copyright
0011-Control
Checks
debian/control
file for errors0013-bashism
Checks files using
/bin/sh
for BASH constructs0014-Depends
Checks files for missing runtime dependencies on UCS packages
0015-FuzzyNames
Checks for spelling of Univention
0016-Deprecated
Checks files for usage of deprecated functions
0017-Shell
Checks shell scripts for quoting errors
0018-Debian
Checks for Debian packaging issues
The module and test number may be optionally followed by a filename, line number in that file, and column number in that line, where the issue was found. After that a message is printed, which describes the issue in more detail.
Since ucslint is very Univention centric, many of its tests return
false positives for software packages by other parties. Therefore, many tests
need to be disables. For this the file debian/ucslint.overrides
can be
created with list of modules and test to be ignored. Without specifying the
optional filename, line number and column number, the test is globally disabled
for all files.
15.3. Function libraries#
The source package univention-lib provides the binary packages shell-univention-lib, python3-univention-lib and python-univention-lib, which contain common library functions usable in shell or Python programs.
15.3.1. shell-univention-lib#
This package (and several others) provides shell libraries in
/usr/share/univention-lib/
, which can be used in shell scripts.
/usr/share/univention-lib/admember.sh
This file contains some helpers to test for and to manage hosts in AD member mode.
/usr/share/univention-lib/backup.sh
This file contains code to remove old backup files from
/var/univention-backup/
./usr/share/univention-lib/base.sh
This file contains some helpers to create log files, handle unjoin scripts (see Writing unjoin scripts) or query the network configuration.
/usr/share/univention-lib/join.sh
This file is provided by the package univention-join. It is used by by Debian maintainer scripts to register and call join scripts. See join.sh for further details.
/usr/share/univention-lib/ldap.sh
This file contains some helpers to query data from LDAP, register and un-register service entries, LDAP schema and LDAP ACL extensions.
/usr/share/univention-lib/samba.sh
This file contains a helper to check is Samba4 is used.
/usr/share/univention-lib/ucr.sh
This file is provided by the package univention-config. It contains some helpers to handle boolean Univention Configuration Registry Variables and handle UCR files on package removal. See Using UCR from shell for further details.
/usr/share/univention-lib/umc.sh
This file contains some helpers to handle UMC (see Univention Management Console (UMC)) related tasks.
/usr/share/univention-lib/all.sh
This is a convenient library, which just includes all libraries mentioned above.
15.3.2. python-univention-lib#
This package provides several Python libraries located in the module univention.lib.
- univention.lib.admember
This module contains functions to test for and to manage hosts in AD member mode.
- univention.lib.atjobs
This module contains functions to handle at-jobs.
- univention.lib.fstab
This module provides some functions for handling the file
/etc/fstab
.- univention.lib.i18n
This module provides some classes to handle texts and their translations.
- univention.lib.ldap_extension
This module provides some helper functions internally used to register LDAP extension as described in join.sh.
- univention.lib.listenerSharePath
This module provides some helper functions internally used by the Directory Listener module handling file shares.
- univention.lib.locking
This module provides some functions to implement mutual exclusion using file objects as locking objects.
- univention.lib.misc
This module provides miscellaneous functions to query the set of configured LDAP servers, localized domain user names, and other functions.
- univention.lib.package_manager
This module provides some wrappers for dpkg and APT, which add functions for progress reporting.
- univention.lib.s4
This module provides some well known SIDs and RIDs.
- univention.lib.ucrLogrotate
This module provides some helper functions internally used for parsing the Univention Configuration Registry Variables related to logrotate.8.
- univention.lib.ucs
This module provides the class
UCS_Version
to more easily handle UCS version strings.- univention.lib.umc
This module provides the class
Client
to handle connections to remote UMC servers.- univention.lib.umc_module
This module provides some functions for handling icons.
15.4. Login access control#
Access control to services can be configured for individual services by setting
certain Univention Configuration Registry Variables. Setting auth/SERVICE/restrict
to true
enables access control for that service. This will include the file
/etc/security/access-SERVICE.conf
, which contains the list of allowed
users and groups permitted to login to the service. Users and groups can be
added to that file by setting auth/SERVICE/user/USER
and
auth/SERVICE/group/GROUP
to true
respectively.
15.5. Network packet filter#
Firewall rules are setup by univention-firewall and can be configured through Univention Configuration Registry or by providing additional UCR templates.
15.5.1. Filter rules by Univention Configuration Registry#
Besides predefined service definitions, Univention Firewall also allows the
implementation of package filter rules through Univention Configuration Registry. These rules are
included in /etc/security/packetfilter.d/
through a Univention Configuration Registry module.
Filter rules can be provided through packages or can be configured locally by the administrator. Local rules have a higher priority and overwrite rules provided by packages.
All Univention Configuration Registry settings for filter rules are entered in the following format:
- Local filter rule
security/packetfilter/protocol/>port(s)address=policy
- Package filter rule
security/packetfilter/package/package/protocol/port(s)/address=policy
The following values need to be filled in:
package
(only for packaged rules)The name of the package providing the rule.
protocol
Can be either
tcp
for server services using the Transmission Control Protocol orudp
for services using the stateless User Datagram Protocol.port
;min-port}:max-port
Ports can be defined either as a single number between 1 and 65535 or as a range separated by a colon:
min-port:max-port
address
This can be either
ipv4
for all IPv4 addresses,ipv6
for all IPv6 addresses,all
for both IPv4 and IPv6 addresses, or any explicitly specified IPv4 or IPv6 address.policy
If a rule is registered as
DROP
, then packets to this port will be silently discarded;REJECT
can be used to send back an ICMP messageport unreachable
instead. UsingACCEPT
explicitly allows such packets. (IPtables rules are executed until one rule applies; thus, if a package is accepted by a rule which is discarded by a later rule, then the rule for discarding the package does not become valid).
Filter rules can optionally be described by setting additional Univention Configuration Registry Variables. For
each rule and language, an additional variable suffixed by /language
can be used to add a descriptive text.
Some examples:
security/packetfilter/tcp/2000/all=DROP
security/packetfilter/tcp/2000/all/en=Drop all packets to TCP port 2000
security/packetfilter/udp/500:600/all=ACCEPT
security/packetfilter/udp/500:600/all/en=Accept UDP port 500 to 600
All package rules can be globally disabled by setting the Univention Configuration Registry Variable
security/packetfilter/use_packages
to false.
.
15.5.2. Local filter rules through iptables commands#
Besides the existing possibilities for settings through Univention Configuration Registry, there is also
the possibility of integrating user-defined enhanced configurations in
/etc/security/packetfilter.d/
, for example for realizing a firewall or
Network Address Translation. The enhancements should be realized in the form of
shell scripts which execute the corresponding iptables for IPv4 and
ip6table for IPv6 calls. For packages this is best done through using
a Univention Configuration Registry template as described in File.
Full documentation for IPTables can be found at the netfilter/iptables project.
15.5.3. Testing Univention Firewall settings#
Package filter settings should always be thoroughly tested. The network scanner nmap, which is integrated in Univention Corporate Server as a standard feature, can be used for testing the status of individual ports.
Since nmap requires elevated privileges in the network stack, it should
be started as root
user. A TCP port can be tested
with the following command: nmap HOSTNAME -p PORT(s)
A UDP port can be tested with the following command: nmap HOSTNAME -sU -p PORT(s)
$ nmap 192.0.2.100 -p 400
$ nmap 192.0.2.110 -sU -p 400-500
15.6. Active Directory Connection custom mappings#
For general overview about the Active Directory Connection app, see Active Directory Connection in Univention Corporate Server - Manual for users and administrators [2].
It is possible to modify and append custom mappings. Administrators need to
create the file /etc/univention/connector/ad/localmapping.py
. Within
that file, they must implement the following function:
def mapping_hook(ad_mapping):
return ad_mapping
The variable ad_mapping
influences the mapping. The Active Directory
Connection app logs the resulting mapping to
/var/log/univention/connector-ad-mapping.log
, when the administrator
restarts Univention AD connector.