3. Domain services / LDAP directory

Univention Corporate Server offers a cross platform domain concept with a common trust context between Linux and/or Windows systems. Within this domain a user is known to all systems via their username and password stored in the UCS Management System and can use all services which are authorized for them. The management system keeps the account synchronized for the windows login, Linux/POSIX systems and Kerberos. The management of user accounts is described in User management.

All UCS and Windows systems within a UCS domain have a host domain account. This allows system-to-system authentication. Domain joining is described in Joining domains.

The certificate authority (CA) of the UCS domain is operated on the Primary Directory Node. A SSL certificate is generated there for every system that has joined the domain. Further information can be found in SSL certificate management.

Every computer system which is a member of a UCS domain has a system role. This system role represents different permissions and restrictions, which are described in UCS system roles.

All domain-wide settings are stored in a directory service on the basis of OpenLDAP. LDAP directory describes how to expand the managed attributes with LDAP scheme expansions, how to set up an audit-compliant LDAP documentation system and how to define access permissions to the LDAP directory.

Replication of the directory data within a UCS domain occurs via the Univention Directory Listener / Notifier mechanism. Further information can be found in Listener/notifier domain replication.

Kerberos is an authentication framework the purpose of which is to permit secure identification in the potentially insecure connections of decentralized networks. Every UCS domain operates its own Kerberos trust context (realm). Further information can be found in Kerberos.

Chapter contents:

• 3.1. Joining domains
  • 3.1.1. How UCS systems join domains
    • 3.1.1.1. Subsequent domain joins with univention-join
    • 3.1.1.2. Joining domains via Univention Management Console module
    • 3.1.1.3. Join scripts / Unjoin scripts
      • Subsequent running of join scripts
  • 3.1.2. Windows domain joins
    • 3.1.2.1. Windows 11
    • 3.1.2.2. Windows 10
    • 3.1.2.3. Windows Server 2012 / 2016 / 2019
  • 3.1.3. Ubuntu domain joins
  • 3.1.4. macOS domain joins
    • 3.1.4.1. Domain join using the system preferences GUI
    • 3.1.4.2. Domain join on the command line
• 3.2. UCS system roles
  • 3.2.1. Primary Directory Node
  • 3.2.2. Backup Directory Node
  • 3.2.3. Replica Directory Node
  • 3.2.4. Managed Node
  • 3.2.5. Ubuntu
  • 3.2.6. Linux
  • 3.2.7. macOS
  • 3.2.8. Domain Trust Account
  • 3.2.9. IP client
  • 3.2.10. Windows Domaincontroller
  • 3.2.11. Windows Workstation/Server
• 3.3. LDAP directory
  • 3.3.1. LDAP schemas
    • 3.3.1.1. LDAP schema extensions
    • 3.3.1.2. LDAP schema replication
  • 3.3.2. Audit-proof logging of LDAP changes
  • 3.3.3. Timeout for inactive LDAP connections
  • 3.3.4. LDAP command line tools
  • 3.3.5. Access control for the LDAP directory
    • 3.3.5.1. Delegation of the privilege to reset user passwords
  • 3.3.6. Name Service Switch / LDAP NSS module
  • 3.3.7. Syncrepl for synchronization with non-UCS OpenLDAP servers
  • 3.3.8. Configuration of the directory service when using Samba/AD
  • 3.3.9. Daily backup of LDAP data
• 3.4. Listener/notifier domain replication
  • 3.4.1. Listener/notifier replication workflow
  • 3.4.2. Analysis of listener/notifier problems
    • 3.4.2.1. Log files/debug level of replication
    • 3.4.2.2. Identification of replication problems
    • 3.4.2.3. Reinitialization of listener modules
• 3.5. SSL certificate management
• 3.6. Kerberos
  • 3.6.1. KDC selection
  • 3.6.2. Kerberos admin server
• 3.7. Password hashes in the directory service
• 3.8. SAML identity provider
  • 3.8.1. Login via single sign-on
  • 3.8.2. Adding a new external service provider
  • 3.8.3. Extended Configuration
• 3.9. OpenID Connect Provider
• 3.10. Converting a Backup Directory Node backup to the new Primary Directory Node
• 3.11. Fault-tolerant domain setup
• 3.12. Protocol of activities in the domain