3. Domain services / LDAP directory#
Univention Corporate Server offers a cross platform domain concept with a common trust context between Linux and/or Windows systems. Within this domain a user is known to all systems via their username and password stored in the UCS Management System and can use all services which are authorized for them. The management system keeps the account synchronized for the windows login, Linux/POSIX systems and Kerberos. The management of user accounts is described in User management.
All UCS and Windows systems within a UCS domain have a host domain account. This allows system-to-system authentication. Domain joining is described in Joining domains.
The certificate authority (CA) of the UCS domain is operated on the Primary Directory Node. A SSL certificate is generated there for every system that has joined the domain. Further information can be found in SSL certificate management.
Every computer system which is a member of a UCS domain has a system role. This system role represents different permissions and restrictions, which are described in UCS system roles.
All domain-wide settings are stored in a directory service on the basis of OpenLDAP. LDAP directory describes how to expand the managed attributes with LDAP scheme expansions, how to set up an audit-compliant LDAP documentation system and how to define access permissions to the LDAP directory.
Replication of the directory data within a UCS domain occurs via the Univention Directory Listener / Notifier mechanism. Further information can be found in Listener/notifier domain replication.
Kerberos is an authentication framework the purpose of which is to permit secure identification in the potentially insecure connections of decentralized networks. Every UCS domain operates its own Kerberos trust context (realm). Further information can be found in Kerberos.
Chapter contents:
- 3.1. Joining domains
- 3.2. UCS system roles
- 3.3. LDAP directory- 3.3.1. LDAP schemas
- 3.3.2. Audit-proof logging of LDAP changes
- 3.3.3. Timeout for inactive LDAP connections
- 3.3.4. LDAP command line tools
- 3.3.5. Access control for the LDAP directory
- 3.3.6. Name Service Switch / LDAP NSS module
- 3.3.7. Configuration of the directory service when using Samba/AD
- 3.3.8. Daily backup of LDAP data
 
- 3.4. Listener/notifier domain replication
- 3.5. SSL certificate management
- 3.6. Kerberos
- 3.7. Password hashes in the directory service
- 3.8. Single sign-on
- 3.9. Converting a Backup Directory Node backup to the new Primary Directory Node
- 3.10. Fault-tolerant domain setup
- 3.11. Protocol of activities in the domain