3.3. LDAP directory#
Univention Corporate Server saves domain-wide data in a LDAP directory service based on OpenLDAP. This chapter describes the advanced configuration and coordination of OpenLDAP.
Often several LDAP servers are operated in a UCS domain. The configuration of the server(s) used is described in Configuration of the LDAP server in use.
3.3.1. LDAP schemas#
Schema definitions specify which object classes exist and which attributes they include, i.e., which data can be stored in a directory service. Schema definitions are saved as text files and included in the OpenLDAP server’s configuration file.
UCS uses standard schemas where possible in order to allow interoperability with other LDAP applications. Schema extensions are supplied for Univention-specific attributes - such as for the policy mechanism.
18.104.22.168. LDAP schema extensions#
To keep the efforts required for small extensions in LDAP as low as possible,
Univention Corporate Server provides its own LDAP scheme for customer extensions. The LDAP object
univentionFreeAttributes can be used for extended attributes without
restrictions. It offers 20 freely usable attributes
univentionFreeAttribute20) and can be used
in connection with any LDAP object (e.g., a user object).
If LDAP schema extensions are to be delivered as part of software packages, there is also the possibility of packaging them and distributing them to all the Backup Directory Node servers in the domain using a Univention Directory Listener module. Further information is available in Packaging LDAP Schema Extensions.
22.214.171.124. LDAP schema replication#
The replication of the LDAP schemas is also automated via the listener/notifier mechanism (see Listener/notifier domain replication). This relieves the administrator of the need to perform all schema updates manually on all the OpenLDAP servers in the domain. Performing the schema replication before the replication of LDAP objects guarantees that this doesn’t fail as a result of missing object classes or attributes.
On the Primary Directory Node, a checksum for all the directories with schema
definitions is performed when the OpenLDAP server is started. This checksum is
compared with the last saved checksum in the
The actual replication of the schema definitions is initiated by the Univention Directory Listener. Prior to every request from the Univention Directory Notifier for a new transaction ID, its current schema ID is requested. If this is higher than the schema ID on the listener side, the currently used sub-schema is procured from the notifier system’s LDAP server via an LDAP search.
The output sub-schema is included on the listener system in LDIF format in the
/var/lib/univention-ldap/schema.conf file and the local OpenLDAP server
restarted. If the schema replication is completed with this step, the
replication of the LDAP objects is continued.
3.3.2. Audit-proof logging of LDAP changes#
The univention-directory-logger package allows the logging of all changes in the LDAP directory service. As each data record contains the hash value of the previous data record, manipulations of the log file - such as deleted entries - can be uncovered.
Individual areas of the directory service can be excluded from the logging.
These branches can be configured using the Univention Configuration Registry variables
ldap/logging/excludeN, etc. As standard, the
container is excluded in which the temporary objects are stored
cn=temporary,cn=univention). The LDAP changes are logged by a Univention Directory Listener
module. The Univention Directory Listener service must be restarted if changes are made to the
Univention Configuration Registry variables.
The logging is made in the
/var/log/univention/directory-logger.log file in the following format:
START Old Hash: Hash sum of the previous data record DN: DN of the LDAP object ID: Listener/notifier transaction ID Modifier: DN of the modifying account Timestamp: Time stamp in format dd.mm.yyyy hh:mm:ss Action: add, modify or delete Old Values: List of old attributes, empty when an object is added New Values: List of new attributes, empty when an object is deleted END
A hash sum is calculated for each logged data record and also logged in the
daemon.info section of the syslog service.
As of UCS 4.4 erratum 536 the respective transaction ID of the entry is
added to the file
/var/log/univention/directory-logger.log before each
line as a prefix:
ID 342: START ID 342: Old Hash: 70069d51a7e2e168d7c7defd19349985 ID 342: DN: uid=Administrator,cn=users,dc=example,dc=com ID 342: ID: 342 ID 342: Modifier: cn=admin,dc=example,dc=com ID 342: Timestamp: 15.04.2020 09:20:40 ID 342: Action: modify ID 342: ID 342: Old values: ID 342: description: This is a description test ID 342: entryCSN: 20200415091936.317108Z#000000#000#000000 ID 342: modifyTimestamp: 20200415091936Z ID 342: ID 342: New values: ID 342: description: This is a description test ID 342: entryCSN: 20200415092040.430976Z#000000#000#000000 ID 342: modifyTimestamp: 20200415092040Z ID 342: END
If univention-directory-logger was installed before this UCS version,
the old behavior (no prefix) is retained by default. By setting the Univention Configuration Registry Variable
yes the new behavior can be activated.
This prefix simplifies the correlation of related lines when post-processing the
sign in analysis and monitoring software.
3.3.3. Timeout for inactive LDAP connections#
The Univention Configuration Registry Variable
ldap/idletimeout is used to configure a time period in
seconds after which the LDAP connection is cut off on the server side. When the
value is set to
0, no expiry period is in use. The timeout period has been set
at six minutes as standard.
3.3.4. LDAP command line tools#
In addition to the UMC web interface, there are also a range of programs with which one can access the LDAP directory from the command line.
The univention-ldapsearch tool simplifies the authenticated search in the LDAP directory. A search filter needs to be specified as an argument; in the following example, the administrator is searched for using the user ID:
$ univention-ldapsearch uid=Administrator
The slapcat command makes it possible to save the current LDAP data in a text file in LDIF format, e.g.:
$ slapcat > ldapdata.txt
3.3.5. Access control for the LDAP directory#
Access to the information contained in the LDAP directory is controlled by
Access Control Lists (ACLs) on the server side. The ACLs are defined in the
central configuration file
/etc/ldap/slapd.conf and managed using
Univention Configuration Registry.
slapd.conf is managed using a multifile template; further ACL
elements can be added below
/etc/univention/templates/files/etc/ldap/slapd.conf.d/ between the
70univention-ldap-server_acl-master-end files or the existing templates
If LDAP ACL extensions are to be delivered as part of software packages, there is also the possibility of packaging them and distributing them to all the LDAP servers in the domain using a Univention Directory Listener module. Further information is available in Packaging LDAP ACL Extensions.
The default setting of the LDAP server after new installations with UCS
does not allow anonymous access to the LDAP directory. This behavior is
configured with the Univention Configuration Registry Variable
Individual IP addresses can be granted anonymous read permissions via
Univention Configuration Registry Variable
Following successful authentication on the LDAP server, all attributes of a user account can be read out by this user.
In addition, an extra, internal account, the root DN, also has full write access.
In addition, UCS offers a number of further ACLs installed as standard
which suppress access to sensitive files (e.g., the user password) and
establish rules which are necessary for operation (e.g., necessary
accesses to computer accounts for log-ins). The read and write access to
this sensitive information if only intended for members of the
Domain Admins group.
Nested groups are also supported. The Univention Configuration Registry Variable
can be used to deactivate the nested groups function for LDAP ACLs, which will
result in a speed increase for directory requests.
126.96.36.199. Delegation of the privilege to reset user passwords#
To facilitate the delegation of the privilege to reset user passwords, the
univention-admingrp-user-passwordreset package can be installed. It
uses a join script to create the
User Password Admins user group, in so far
as this does not already exist.
Members of this group receive the permission via additional LDAP ACLs to reset
the passwords of other users. These LDAP ACLs are activated automatically during
the package installation. To use another group, or a group that already exists,
instead of the
User Password Admins group, the DN of the group to be used
can be entered in the Univention Configuration Registry Variable
ldap/acl/user/passwordreset/accesslist/groups/dn. The LDAP server must
be restarted after making changes.
Passwords can be reset via the UMC module Users. By default the
module is only accessible to the
Administrator user. During the installation
default-user-password-admins policy is created automatically, which is
linked to the members of the
User Password Admins group and can be assigned
to a corresponding container in the LDAP directory. Further information on the
configuration of UMC policies can be found in Delegated administration for UMC modules.
The policy makes it possible to search for users and create an overview of all the attributes of a user object. If an attempt is made to modify further attributes in addition to the password when the user does not have sufficient access rights to the LDAP directory, Univention Directory Manager denies them write access with the message Permission denied.
The package should be installed on the Primary Directory Node and the Backup Directory Nodes. During the installation, the LDAP server is restarted and is thus temporarily unavailable.
Password resets via the password group can be prevented for sensitive users or
groups (e.g., domain administrators). The Univention Configuration Registry variables
ldap/acl/user/passwordreset/protected/gid can be used to configure
users and groups. Multiple values must be separated by commas. After changes to
the variables, it is necessary to restart the LDAP server using the
systemctl restart slapd command. By default the members of the
Domain Admins group are protected against having theirs password changed.
If access to additional LDAP attributes should be necessary for changing the
password, the attribute names can be expanded in Univention Configuration Registry Variable
ldap/acl/user/passwordreset/attributes. After the change, the LDAP
directory service must be restarted for the change to take effect. This variable
is already set appropriately for a UCS standard installation.
3.3.6. Name Service Switch / LDAP NSS module#
With the Name Service Switch, the GNU C standard library (glibc) used in Univention Corporate Server offers a modular interface for resolving the names of users, groups and hosts.
The LDAP NSS module is used on UCS systems for access to the domain data
(e.g., users) as standard. The module queries the LDAP server specified
in the Univention Configuration Registry Variable
ldap/server/name (and if necessary the
What measures should be taken if the LDAP server cannot be reached can be
specified by the Univention Configuration Registry Variable
nssldap/bindpolicy. As standard, if the
server cannot be reached, a new connection attempt is made. If the variable is
soft, then no new attempt is made to connect. This can considerably
accelerate the boot of a system if the LDAP server cannot be reached, e.g., in
an isolated test environment.
3.3.7. Syncrepl for synchronization with non-UCS OpenLDAP servers#
The syncrepl replication service can also be activated parallel to the notifier service for the synchronization of OpenLDAP servers not installed on UCS systems. Syncrepl is a component of OpenLDAP, monitors changes in the local directory service and transmits them to other OpenLDAP servers.
3.3.8. Configuration of the directory service when using Samba/AD#
As standard, the OpenLDAP server is configured in such a way that it also
accepts requests from ports
7636 in addition to the standard
If Samba/AD is used, the Samba/AD domain controller service occupies the ports
636. In this case, OpenLDAP is automatically reconfigured so
that only ports
7636 are used. This must be taken into account
during the configuration of syncrepl in particular (see
Syncrepl for synchronization with non-UCS OpenLDAP servers). univention-ldapsearch uses the
standard port automatically.
3.3.9. Daily backup of LDAP data#
The content of the LDAP directory is backed up daily on the Primary Directory Node and all Backup Directory Node systems via a Cron job. If Samba 4 is used, its data directory is also backed up.
The LDAP data are stored in the
/var/univention-backup/ directory in the
ldap-backup_DATE.ldif.gz in LDIF
format. They can only be read by the
root user. The Samba 4 files are stored in
The Univention Configuration Registry Variable
backup/clean/max_age can be used to define how long old
backup files are kept (e.g.
backup/clean/max_age=365, all files older than
365 days are automatically deleted). For new installations (from UCS 4.4-7
on) the default for this variable is
365 (days). If the variable is not set,
no backup files are deleted.