Univention Corporate Server - Manual for users and administrators

• 1. Introduction
  • 1.1. What is Univention Corporate Server?
  • 1.2. What is Univention Nubus?
  • 1.3. Overview of UCS
    • 1.3.1. Commissioning
    • 1.3.2. Domain concept
    • 1.3.3. Expandability with the Univention App Center
    • 1.3.4. LDAP directory service
    • 1.3.5. Domain administration
    • 1.3.6. Computer administration
    • 1.3.7. Policy concept
    • 1.3.8. Listener/notifier replication
  • 1.4. Further documentation
  • 1.5. Symbols and conventions used in this manual
• 2. Installation
  • 2.1. Selecting the installation mode
  • 2.2. Selecting the installation language
  • 2.3. Selecting the location
  • 2.4. Selecting the keyboard layout
  • 2.5. Network configuration
  • 2.6. Setting up the root password
  • 2.7. Partitioning the hard drive
  • 2.8. Domain settings
    • 2.8.1. Naming convention for hostnames
    • 2.8.2. Create a new UCS domain mode
    • 2.8.3. Join an existing Active Directory domain mode
    • 2.8.4. Join an existing UCS domain domain mode
  • 2.9. Confirming the settings
  • 2.10. Troubleshooting for installation problems
  • 2.11. Installation in text mode
  • 2.12. Installation in the Amazon EC2 cloud
  • 2.13. Installation in VMware
• 3. Domain services / LDAP directory
  • 3.1. Joining domains
    • 3.1.1. How UCS systems join domains
      • 3.1.1.1. Subsequent domain joins with univention-join
      • 3.1.1.2. Joining domains via Univention Management Console module
      • 3.1.1.3. Join scripts / Unjoin scripts
        • Subsequent running of join scripts
    • 3.1.2. Windows domain joins
      • 3.1.2.1. Windows 11
      • 3.1.2.2. Windows 10
      • 3.1.2.3. Windows Server 2012 / 2016 / 2019 / 2022
    • 3.1.3. Ubuntu domain joins
    • 3.1.4. macOS domain joins
      • 3.1.4.1. Domain join using the system preferences GUI
      • 3.1.4.2. Domain join on the command line
  • 3.2. UCS system roles
    • 3.2.1. Primary Directory Node
    • 3.2.2. Backup Directory Node
    • 3.2.3. Replica Directory Node
    • 3.2.4. Managed Node
    • 3.2.5. Ubuntu
    • 3.2.6. Linux
    • 3.2.7. macOS
    • 3.2.8. Domain Trust Account
    • 3.2.9. IP client
    • 3.2.10. Windows Domaincontroller
    • 3.2.11. Windows Workstation/Server
  • 3.3. LDAP directory
    • 3.3.1. LDAP schemas
      • 3.3.1.1. LDAP schema extensions
      • 3.3.1.2. LDAP schema replication
    • 3.3.2. Audit-proof logging of LDAP changes
    • 3.3.3. Timeout for inactive LDAP connections
    • 3.3.4. LDAP command line tools
    • 3.3.5. Access control for the LDAP directory
      • 3.3.5.1. Delegation of the privilege to reset user passwords
    • 3.3.6. Name Service Switch / LDAP NSS module
    • 3.3.7. Syncrepl for synchronization with non-UCS OpenLDAP servers
    • 3.3.8. Configuration of the directory service when using Samba/AD
    • 3.3.9. Daily backup of LDAP data
  • 3.4. Listener/notifier domain replication
    • 3.4.1. Listener/notifier replication workflow
    • 3.4.2. Analysis of listener/notifier problems
      • 3.4.2.1. Log files/debug level of replication
      • 3.4.2.2. Identification of replication problems
      • 3.4.2.3. Reinitialization of listener modules
  • 3.5. SSL certificate management
  • 3.6. Kerberos
    • 3.6.1. KDC selection
    • 3.6.2. Kerberos admin server
  • 3.7. Password hashes in the directory service
  • 3.8. SAML identity provider
    • 3.8.1. Login via single sign-on
    • 3.8.2. Adding a new external service provider
    • 3.8.3. Extended Configuration
  • 3.9. OpenID Connect Provider
  • 3.10. Converting a Backup Directory Node backup to the new Primary Directory Node
  • 3.11. Fault-tolerant domain setup
  • 3.12. Protocol of activities in the domain
• 4. UCS web interface
  • 4.1. Introduction
    • 4.1.1. Access
    • 4.1.2. Browser compatibility
    • 4.1.3. Switching between dark and light theme for UCS web interfaces
    • 4.1.4. Creating a custom theme/Adjusting the design of UCS web interfaces
    • 4.1.5. Feedback on UCS
    • 4.1.6. Collection of usage statistics
  • 4.2. Login
    • 4.2.1. Refresh portal tabs on logout
    • 4.2.2. Choose the right user account
    • 4.2.3. Single sign-on
      • 4.2.3.1. SAML for single sign-on
        • Activate
        • Update sign-in links
      • 4.2.3.2. OpenID Connect for single sign-on
        • Requirements
        • Activation
        • Create sign-in links
        • Verification and log files
        • Deactivate
        • Identity Provider with non-standard FQDN
        • Non-standard FQDN for the Univention Portal and UMC
        • Back-channel sign-out
  • 4.3. UCS portal page
    • 4.3.1. Assign rights for portal settings
  • 4.4. Consent for using Cookies
    • 4.4.1. Usage of the cookie consent banner
    • 4.4.2. UCR reference for cookie consent banner
  • 4.5. Univention Management Console modules
    • 4.5.1. Activation of UCS license / license overview
    • 4.5.2. Operating instructions for modules to administrate LDAP directory data
      • 4.5.2.1. Searching for objects
      • 4.5.2.2. Creating objects
      • 4.5.2.3. Editing objects
      • 4.5.2.4. Deleting objects
      • 4.5.2.5. Moving objects
    • 4.5.3. Display of system notifications
  • 4.6. LDAP directory browser
  • 4.7. Policies
    • 4.7.1. Creating a policy
    • 4.7.2. Applying policies
    • 4.7.3. Editing a policy
  • 4.8. Expansion of UMC modules with extended attributes
    • 4.8.1. Extended attributes - General tab
    • 4.8.2. Extended attributes - Module tab
    • 4.8.3. Extended attributes - LDAP mapping tab
    • 4.8.4. Extended attributes - UMC tab
    • 4.8.5. Extended attributes - Data type tab
  • 4.9. Structuring of the domain with user-defined LDAP structures
    • 4.9.1. General tab
    • 4.9.2. Advanced settings tab
    • 4.9.3. Policies tab
  • 4.10. Delegated administration for UMC modules
  • 4.11. Command line interface of domain management (Univention Directory Manager)
    • 4.11.1. Parameters of the command line interface
    • 4.11.2. Example invocations of the command line interface
      • 4.11.2.1. Users
      • 4.11.2.2. Groups
      • 4.11.2.3. Container / Policies
      • 4.11.2.4. Computers
      • 4.11.2.5. Shares
      • 4.11.2.6. Printers
      • 4.11.2.7. DNS/DHCP
      • 4.11.2.8. Extended attributes
  • 4.12. HTTP API of domain management
  • 4.13. Evaluation of data from the LDAP directory with Univention Directory Reports
    • 4.13.1. Creating reports via Univention Management Console modules
    • 4.13.2. Creating reports on the command line
    • 4.13.3. Adjustment/expansion of Univention Directory Reports
  • 4.14. Let’s Encrypt
• 5. Software deployment
  • 5.1. Differentiation of update variants / UCS versions
  • 5.2. Univention App Center
  • 5.3. Updates of UCS systems
    • 5.3.1. Update strategy in environments with more than one UCS system
    • 5.3.2. Updating individual systems via Univention Management Console module
    • 5.3.3. Updating individual systems via the command line
    • 5.3.4. Updating systems via a policy
    • 5.3.5. Post-processing of release updates
    • 5.3.6. Troubleshooting in case of update problems
  • 5.4. Configuration of the repository server for updates and package installations
    • 5.4.1. Configuration via Univention Management Console module
    • 5.4.2. Configuration via Univention Configuration Registry
    • 5.4.3. Policy-based configuration of the repository server
    • 5.4.4. Creating and updating a local repository
  • 5.5. Installation of further software
    • 5.5.1. Installation/deinstallation of UCS components in the Univention App Center
    • 5.5.2. Installation/removal of individual packages via Univention Management Console module
    • 5.5.3. Installation/removal of individual packages in the command line
    • 5.5.4. Hook scripts for administrators
    • 5.5.5. Policy-based installation/deinstallation of individual packages via package lists
  • 5.6. Specification of an update point using the package maintenance policy
  • 5.7. Central monitoring of software installation statuses with the software monitor
• 6. User management
  • 6.1. User management through Univention Management Console module
    • 6.1.1. User creation wizard
    • 6.1.2. User management module - General tab
    • 6.1.3. User management module - Groups tab
    • 6.1.4. User management module - Account tab
    • 6.1.5. User management module - Contact tab
    • 6.1.6. User management module - Mail tab
    • 6.1.7. User management module - Options tab
  • 6.2. User activation for apps
  • 6.3. User password management
    • 6.3.1. Password policy types
    • 6.3.2. Change the user password
    • 6.3.3. Password policy settings in UMC
  • 6.4. Password settings for Windows clients when using Samba
  • 6.5. User self services
    • 6.5.1. Password change by user via UCS portal page
    • 6.5.2. Password management via Self Service app
    • 6.5.3. Contact information
    • 6.5.4. Self registration
      • 6.5.4.1. Account creation
      • 6.5.4.2. Verification email
      • 6.5.4.3. Account verification
    • 6.5.5. Self deregistration
  • 6.6. Automatic lockout of users after failed login attempts
    • 6.6.1. Samba Active Directory Service
    • 6.6.2. PAM-Stack
    • 6.6.3. OpenLDAP
  • 6.7. User templates
  • 6.8. Overlay module for recording an account’s last successful LDAP bind
  • 6.9. Prevent reuse of user property values
    • 6.9.1. Activate block lists
    • 6.9.2. Configure block lists
    • 6.9.3. Manage block list entries
    • 6.9.4. Expired block list entries
    • 6.9.5. LDAP ACLs for block lists
• 7. Group management
  • 7.1. User group assignments
  • 7.2. Recommendation for group name definition
  • 7.3. Managing groups via Univention Management Console module
    • 7.3.1. Group management module - General tab
    • 7.3.2. Group management module - Advanced settings tab
    • 7.3.3. Group management module - Options settings tab
  • 7.4. Group nesting with groups in groups
  • 7.5. Local group cache
  • 7.6. Synchronization of Active Directory groups when using Samba/AD
  • 7.7. Overlay module for displaying the group information on user objects
• 8. Computer management
  • 8.1. Management of computer accounts via Univention Management Console module
    • 8.1.1. Computer management module - General tab
    • 8.1.2. Computer management module - Account tab
    • 8.1.3. Computer management module - Unix account tab
    • 8.1.4. Computer management module - Services tab
    • 8.1.5. Computer management module - Deployment tab
    • 8.1.6. Computer management module - DNS alias tab
    • 8.1.7. Computer management module - Alerts tab
    • 8.1.8. Computer management module - Groups tab
    • 8.1.9. Computer management module - Options alias tab
    • 8.1.10. Integration of Ubuntu clients
  • 8.2. Configuration of hardware and drivers
    • 8.2.1. Available kernel variants
    • 8.2.2. Hardware drivers / kernel modules
    • 8.2.3. GRUB boot manager
    • 8.2.4. Network configuration
      • 8.2.4.1. Configuration of IPv4 addresses
      • 8.2.4.2. Configuration of IPv6 addresses
      • 8.2.4.3. Configuring the name servers
      • 8.2.4.4. Bridges, bonding, VLANs
      • 8.2.4.5. Configure bridging
      • 8.2.4.6. Configure bonding
      • 8.2.4.7. Configure VLAN
    • 8.2.5. Proxy access configuration
    • 8.2.6. Mounting NFS shares
    • 8.2.7. Collection of list of supported hardware
  • 8.3. Administration of local system configuration with Univention Configuration Registry
    • 8.3.1. Using the Univention Management Console module
    • 8.3.2. Using the command line frontend
      • 8.3.2.1. Querying a UCR variable
      • 8.3.2.2. Setting UCR variables
      • 8.3.2.3. Searching for variables and set values
      • 8.3.2.4. Deleting UCR variables
      • 8.3.2.5. Regeneration of configuration files from their template
      • 8.3.2.6. Sourcing variables in shell scripts
    • 8.3.3. Policy-based configuration of UCR variables
    • 8.3.4. Modifying UCR templates
      • 8.3.4.1. Referencing of UCR variables in templates
      • 8.3.4.2. Integration of inline Python code in templates
  • 8.4. Basic system services
    • 8.4.1. Administrative access with the root account
    • 8.4.2. Configuration of language and keyboard settings
    • 8.4.3. Starting/stopping system services / configuration of automatic startup
    • 8.4.4. Authentication / PAM
      • 8.4.4.1. Limiting authentication to selected users
    • 8.4.5. Configuration of the LDAP server in use
    • 8.4.6. Configuration of the print server in use
    • 8.4.7. Logging/retrieval of system messages and system status
      • 8.4.7.1. Log files
      • 8.4.7.2. Logging the system status
      • 8.4.7.3. Process overview via Univention Management Console module
      • 8.4.7.4. System diagnostic via Univention Management Console module
    • 8.4.8. Executing recurring actions with Cron
      • 8.4.8.1. Hourly/daily/weekly/monthly execution of scripts
      • 8.4.8.2. Defining local cron jobs in /etc/cron.d/
      • 8.4.8.3. Defining cron jobs in Univention Configuration Registry
    • 8.4.9. Name service cache daemon
    • 8.4.10. SSH login to systems
    • 8.4.11. Configuring the time zone / time synchronization
• 9. Services for Windows
  • 9.1. Operation of a Samba domain based on Active Directory
    • 9.1.1. Installation
    • 9.1.2. Services of a Samba domain
      • 9.1.2.1. Authentication services
      • 9.1.2.2. File services
      • 9.1.2.3. Print services
      • 9.1.2.4. Univention S4 connector
      • 9.1.2.5. Replication of directory data
      • 9.1.2.6. Synchronization of the SYSVOL share
    • 9.1.3. Configuration and management of Windows desktops
      • 9.1.3.1. Group policies
        • Installation of Group Policy Management
        • Configuration of policies with Group Policy Management
        • Configuration of group policies in environments with more than one Samba domain controller
        • Administrative templates (ADMX/ADM)
        • Application of policies based on computer properties (WMI filters)
      • 9.1.3.2. Logon scripts / NETLOGON share
      • 9.1.3.3. Configuration of the file server for the home directory
      • 9.1.3.4. Roaming profiles
  • 9.2. Active Directory Connection
    • 9.2.1. UCS as a member of an Active Directory domain
    • 9.2.2. Setup of the UCS AD connector
      • 9.2.2.1. Basic configuration of the UCS AD Connector
      • 9.2.2.2. Importing the SSL certificate of the Active Directory
        • Exporting the certificate on Windows 2012 / 2016 / 2019 / 2022
        • Copying the Active Directory certificate to the UCS system
      • 9.2.2.3. Starting/Stopping the Active Directory Connection
      • 9.2.2.4. Functional test of basic settings
      • 9.2.2.5. Changing the AD access password
    • 9.2.3. Additional tools / Debugging connector problems
    • 9.2.4. Selective synchronization
      • 9.2.4.1. Allow only specific LDAP subtrees
      • 9.2.4.2. Allow only objects that match an LDAP filter
      • 9.2.4.3. Ignore objects from specific LDAP subtrees
      • 9.2.4.4. Ignore objects by LDAP filter
      • 9.2.4.5. Priority of allow and ignore rules
    • 9.2.5. Details on preconfigured synchronization
      • 9.2.5.1. Containers and organizational units
      • 9.2.5.2. Groups
        • Particularities
        • Custom mappings
      • 9.2.5.3. Users
  • 9.3. Migrating an Active Directory domain to UCS using Univention AD Takeover
    • 9.3.1. Preparation
    • 9.3.2. Domain migration
    • 9.3.3. Final steps of the takeover
    • 9.3.4. Tests
  • 9.4. Trust relationships
• 10. Identity Management connection to cloud services
  • 10.1. Microsoft 365 Connector
    • 10.1.1. Setup
    • 10.1.2. Configuration
      • 10.1.2.1. Users
      • 10.1.2.2. Groups
      • 10.1.2.3. Teams
    • 10.1.3. Synchronization of Users in multiple Azure Active Directories
    • 10.1.4. Troubleshooting/Debugging
  • 10.2. Google Apps for Work Connector
    • 10.2.1. Setup
    • 10.2.2. Configuration
    • 10.2.3. Troubleshooting/Debugging
• 11. IP and network management
  • 11.1. Network objects
  • 11.2. Administration of DNS data with BIND
    • 11.2.1. Configuration of the BIND name server
      • 11.2.1.1. Configuration of BIND debug output
      • 11.2.1.2. Configuration of the data backend
      • 11.2.1.3. Configuration of zone transfers
    • 11.2.2. Administration of DNS data via Univention Management Console module
      • 11.2.2.1. Forward lookup zone
        • DNS UMC module forward lookup - General tab
        • DNS UMC module forward lookup - Start of authority tab
        • DNS UMC module forward lookup - IP addresses tab
        • DNS UMC module forward lookup - MX records tab
        • DNS UMC module forward lookup - TXT records tab
      • 11.2.2.2. CNAME record (Alias records)
      • 11.2.2.3. A/AAAA records (host records)
      • 11.2.2.4. Service records
      • 11.2.2.5. Reverse lookup zone
        • DNS UMC module reverse lookup - General tab
        • DNS UMC module reverse lookup - Start of authority tab
      • 11.2.2.6. Pointer record
  • 11.3. IP assignment via DHCP
    • 11.3.1. Composition of the DHCP configuration via DHCP LDAP objects
      • 11.3.1.1. Administration of DHCP services
      • 11.3.1.2. Administration of DHCP server entries
      • 11.3.1.3. Administration of DHCP subnets
      • 11.3.1.4. Administration of DHCP pools
        • General tab
        • Advanced settings tab
      • 11.3.1.5. Registration of computers with DHCP computer objects
      • 11.3.1.6. Management of DHCP shared networks / DHCP shared subnets
    • 11.3.2. Configuration of clients via DHCP policies
      • 11.3.2.1. Setting the gateway
      • 11.3.2.2. Setting the DNS servers
      • 11.3.2.3. Setting the WINS server
      • 11.3.2.4. Configuration of the DHCP lease
      • 11.3.2.5. Configuration of boot server/PXE settings
      • 11.3.2.6. Further DHCP policies
  • 11.4. Packet filter with Univention Firewall
  • 11.5. Web proxy for caching and policy management / virus scan
    • 11.5.1. Installation
    • 11.5.2. Caching of web content
    • 11.5.3. Logging proxy accesses
    • 11.5.4. Restriction of access to permitted networks
    • 11.5.5. Configuration of the ports used
      • 11.5.5.1. Access port
      • 11.5.5.2. Permitted ports
    • 11.5.6. User authentication on the proxy
  • 11.6. RADIUS
    • 11.6.1. Installation
    • 11.6.2. Configuration
      • 11.6.2.1. Allowed users
      • 11.6.2.2. Service specific password
      • 11.6.2.3. MAC filtering
      • 11.6.2.4. MAC Authentication Bypass with computer objects
      • 11.6.2.5. Access point administration
      • 11.6.2.6. Access point and client configuration
      • 11.6.2.7. VLAN IDs
    • 11.6.3. Debugging
• 12. File share management
  • 12.1. Access rights to data in shares
  • 12.2. Management of shares via UMC module
    • 12.2.1. Shares UMC module - General tab
    • 12.2.2. Shares UMC module - NFS tab
      • 12.2.2.1. Shares UMC module - NFS group
      • 12.2.2.2. Shares UMC module - NFS custom settings group
    • 12.2.3. Shares UMC module - Samba tab
      • 12.2.3.1. Shares UMC module - Samba group
      • 12.2.3.2. Shares UMC module - Samba permissions group
      • 12.2.3.3. Shares UMC module - Samba extended permissions group
      • 12.2.3.4. Shares UMC module - Samba options group
      • 12.2.3.5. Shares UMC module - Samba custom settings group
    • 12.2.4. Shares UMC module - Options tab
  • 12.3. Support for MSDFS
  • 12.4. Configuration of file system quota
    • 12.4.1. Activating file system quota
    • 12.4.2. Configuring file system quota
    • 12.4.3. Evaluation of quota during login
    • 12.4.4. Querying the quota status by administrators or users
• 13. Print services
  • 13.1. Installing a print server
  • 13.2. Setting the local configuration properties of a print server
  • 13.3. Creating a printer share
    • 13.3.1. Printers UMC module - General tab
    • 13.3.2. Printers UMC module - Access control tab
  • 13.4. Creating a printer group
  • 13.5. Administration of print jobs and print queues
  • 13.6. Generating PDF documents from print jobs
  • 13.7. Mounting of print shares in Windows clients
  • 13.8. Integrating additional PPD files
• 14. Mail services
  • 14.1. Installation
  • 14.2. Management of the mail server data
    • 14.2.1. Management of mail domains
    • 14.2.2. Assignment of email addresses to users
    • 14.2.3. Management of mailing lists
    • 14.2.4. Management of mail groups
    • 14.2.5. Management of shared IMAP folders
      • 14.2.5.1. Shared IMAP folder - General tab
      • 14.2.5.2. Shared IMAP folder - Access rights tab
    • 14.2.6. Mail quota
  • 14.3. Spam detection and filtering
  • 14.4. Identification of viruses and malware
  • 14.5. Identification of Spam sources with DNS-based Blackhole Lists
  • 14.6. Integration of Fetchmail for retrieving mail from external mailboxes
  • 14.7. Configuration of the mail server
    • 14.7.1. Configuration of a relay host for sending the emails
    • 14.7.2. Configuration of the maximum mail size
    • 14.7.3. Configuration of a blind carbon copy for mail archiving solutions
    • 14.7.4. Configuration of soft bounces
    • 14.7.5. Configuration of SMTP ports
    • 14.7.6. Configuration of additional checks
    • 14.7.7. Custom Postfix configuration
    • 14.7.8. Configuring the alias expansion limit
    • 14.7.9. Handling of mailboxes during email changes and the deletion of user accounts
    • 14.7.10. Distribution of an installation on several mail servers
    • 14.7.11. Mail storage on NFS
    • 14.7.12. Connection limits
  • 14.8. Configuration of mail clients for the mail server
  • 14.9. OX Connector
• 15. Infrastructure monitoring
  • 15.1. UCS Dashboard
    • 15.1.1. Installation
    • 15.1.2. Usage
      • 15.1.2.1. Domain dashboard
      • 15.1.2.2. Server dashboard
      • 15.1.2.3. Alert dashboard
      • 15.1.2.4. Own dashboards
  • 15.2. Monitoring
    • 15.2.1. Installation
    • 15.2.2. Preconfigured monitoring checks
    • 15.2.3. Configuration
      • 15.2.3.1. Configure monitoring alerts
      • 15.2.3.2. Assign monitoring alerts to computers
      • 15.2.3.3. Create new alerts
  • 15.3. Nagios
    • 15.3.1. Installation
    • 15.3.2. Preconfigured Nagios checks
• 16. Appendix
  • 16.1. Univention Configuration Registry Variables
  • 16.2. Bibliography
  • 16.3. Indices