6.10. Recycle Bin#
Added in version 5.2-3-erratum-298: Since UCS 5.2 erratum 298, UCS supports a Recycle Bin feature for user and group objects in UDM.
The Recycle Bin is a feature in UDM that provides a way to temporarily store deleted directory objects. The Recycle Bin allows administrators who accidentally removed UDM objects to restore these objects to their original state.
When activated through a Recycle Bin policy, UDM moves deleted objects to the Recycle Bin container before it removes them from the LDAP directory. UDM preserves the original object data along with metadata about the deletion. You can view all existing entries in the Recycle Bin within UMC, UDM, and the UDM HTTP REST API. You can restore these entries to their original state before the deletion. UDM purges entries in the Recycle Bin after a configurable retention time.
This section describes how to activate, define a policy for, and manage the Recycle Bin. It also provides information about automatic purge of entries, configuration, and logging.
6.10.1. Limitations#
The implementation of the Recycle Bin has the following technical limitations:
The Recycle Bin only supports the UDM types
users/userandgroups/group.Restoring objects in a setup with the AD Connector and S4 Connector isn’t implemented.
The Recycle Bin is only available for Nubus for UCS.
6.10.2. Activate Recycle Bin#
To activate the Recycle Bin,
set the Univention Configuration Registry Variable listener/module/recyclebin/deactivate to false on the Primary Directory Node and all Backup Directory Nodes.
Then, restart the Directory Listener on the Primary Directory Node with the command in Listing 6.1.
$ systemctl restart univention-directory-listener
6.10.3. Recycle Bin policy#
Administrators can configure the Recycle Bin with one or more
Recycle Bin policies, see Policies.
After you create a Recycle Bin policy and link it to a container object in the LDAP directory, the Recycle Bin configuration applies to all objects within the container. Before removing an object, UDM checks if such a policy applies and moves the object to the Recycle Bin.
The Recycle Bin policy has the following configuration properties:
- Recycle Bin enabled
Defines whether the Recycle Bin is active for objects. Even if a container has a linked Recycle Bin policy, you can deactivate it.
- UDM modules to recycle
Defines a list of UDM module types that the Recycle Bin policy applies to, such as
users/userorgroups/group.
- Ignored object classes
Defines a list of LDAP object classes that are exceptions for the Recycle Bin. If an administrator deletes an object and the object matches any of these object classes, UDM doesn’t move the object to the Recycle Bin container.
- Retention days
Defines the retention time in days that UDM keeps objects in the Recycle Bin before permanently removing them. You need to ensure that the value of the retention time is between the value of the
ldap/database/internal/overlay/dds/min-ttland theldap/database/internal/overlay/dds/max-ttlUnivention Configuration Registry Variables. You set both variables on the Primary Directory Node.
6.10.4. Manage objects in the Recycle Bin#
Administrators can manage entries in the Recycle Bin with the UMC module Recycle Bin,
or with the command line tool udm and the UDM module recyclebin/removedobject.
You have the following actions available:
List or view all existing entries in the Recycle Bin.
Delete objects permanently.
Restore objects.
Restoring objects from the Recycle Bin adds them to the LDAP database in the object state that they had before the deletion. For example, this includes passwords and group memberships for user objects.
6.10.5. Automatic purge of entries in the Recycle Bin#
UDM creates entries in the Recycle Bin if an administrator removes a UDM object and the Recycle Bin policy applies to it.
The policy also defines a retention time,
see Retention days.
The Recycle Bin entry inherits this retention time from its policy
as a time-to-live property.
UDM automatically purges Recycle Bin entries that reach their time-to-live retention time.
You can no longer restore purged entries.
In Nubus, the feature Dynamic Directory Services of the OpenLDAP server takes care of the cleanup.
6.10.6. Configuration through UCR#
The following reference shows the available settings for the Recycle Bin. You need to change these settings on the Primary Directory Node.
- listener/module/recyclebin/deactivate#
Controls whether the Recycle Bin is active. The default value is
true.To activate the Recycle Bin, see Activate Recycle Bin.
- ldap/database/internal/overlay/dds/min-ttl#
Defines the minimum time to live (TTL) in seconds for entries in the Recycle Bin. Default is 86400 seconds, so one day.
After you change the value, you need to restart the LDAP server, see Listing 6.2.
- ldap/database/internal/overlay/dds/max-ttl#
Defines the maximum time to live (TTL) in seconds for entries in the Recycle Bin. Default is 31536000 seconds, so 365 days.
After you change the value, you need to restart the LDAP server, see Listing 6.2.
Important
To restart the LDAP service, use the following steps:
Validate that the UCS domain meets the following conditions:
No mass import of user data is in progress, for example through UCS@school, or connector initialization with the AD Connector or the S4 Connector.
No UCS system is joining the domain.
No system or app upgrades are running.
Listeners and connectors are idle.
Restart the LDAP server on the Primary Directory Node with the command in Listing 6.2.
$ systemctl restart slapd
6.10.7. Logging information#
The following files contain information about the creation of entries in the Recycle Bin and the restoration process.
/var/log/univention/listener.logon the Primary Directory NodeContains log information about creating entries in the Recycle Bin.
/var/log/univention/management-console-module-udm.logContains log information about the restoration of objects with UMC.
/var/log/univention/directory-manager-rest.logContains log information about the restoration of objects with the UDM HTTP REST API.