Version 1.20.x

Version 1.20.x#

Release notes for Nubus for Kubernetes 1.20.x:

Version 1.20.0 - 2026-05-22#

This is the thirtieth production release of Nubus for Kubernetes.

Upgrade path

For the upgrade to version 1.20.0, your deployment must run on version 1.19.x. For the general steps to upgrade an existing Nubus for Kubernetes deployment, see Upgrade in Univention Nubus for Kubernetes - Operation Manual [1].

Release highlights#

Nubus metrics

The UDM HTTP REST API includes a new metrics endpoint. Operators can retrieve basic Nubus metrics, including the number of users, the software version, and the license status. Operators can use these metrics in standard tools such as Prometheus and Grafana to improve observability.

Technical details for UDM objects in the Management UI

The Management UI includes a new section with technical details for objects in Univention Directory Manager (UDM). Administrators can view and search technical identifiers and view creation and modification timestamps for all objects.

LDAP server storage configuration

Operators can configure LDAP server deployments to use different storage configurations for the LDAP database and runtime volumes. Moving runtime data to smaller, lower-cost storage can reduce storage costs.

Structured logging

Version 1.20.0 is the last release that uses “old-style” plain logging as the default. Nubus for Kubernetes 1.21 changes the default to structured logging. To keep plain logging in your deployment, Univention recommends setting all structured-logging configuration options to false. Univention will mark “old-style” plain logging as deprecated and remove it in a future release. For details, see Logging in Univention Nubus for Kubernetes - Operation Manual [1].

Migration steps#

This section lists necessary migration steps that can apply to your deployment. Complete the relevant steps before you upgrade.

  1. Refactor the LDAP server persistence values to support granular PVC configuration. Operators who customize any of the following Helm Chart values need to migrate their values to the new structure.

    LDAP Server

Changes#

The following changes are organized by Nubus for Kubernetes component.

LDAP server#

The LDAP server Helm Chart now lets you configure storage independently for the LDAP database and the slapd runtime state. Previously, both shared the same PersistentVolumeClaim (PVC) settings. This could require operators to use high-performance storage for transient runtime files.

You can now assign separate storage classes to the two volumes:

shared-data

Holds the LDAP database and requires a storage class that provides the performance, data consistency, and reliability guarantees required for a database backend. Configure it through nubusLdapServer.persistence.volumes.sharedData.*.

shared-run

Holds transient slapd runtime state, such as the socket and PID file, which the LDAP Notifier requires. This volume can be small and doesn’t require high-performance storage, so operators can assign it to a lower-cost storage class. Configure it through nubusLdapServer.persistence.volumes.sharedRun.*.

The nubusLdapServer.persistence.enabled flag controls only the shared-data volume. The shared-run volume is always provisioned as a PVC regardless of this setting, because the LDAP Server must share the slapd socket with the LDAP Notifier.

For the required value migration, see Migration steps.

UMC server#

This release fixes a file descriptor leak that occurred during PAM authentication through SSSD.

In affected versions, each authentication attempt could leave an open Unix domain socket to the SSSD PAM service. Over time, this caused the number of open file descriptors in the UMC server process to grow linearly with the total number of logins, not with the number of concurrent sessions.

After the process reached the system limit, further authentication attempts failed with the message: OSError: [Errno 24] Too many open files

Shared PAM handles across multiple threads caused the issue. They prevented proper cleanup of SSSD client sockets.

Operators don’t need to take action. Before this fix, affected systems might have required periodic service restarts to recover.

Included errata updates#

The errata updates contain fixes for the following CVEs:

Genshi
apache2-bin
axios
bcpkix-jdk18on
bcprov-jdk18on
brace-expansion
dompurify
follow-redirects
future
gson
iputils-ping
js-yaml
jwcrypto
keycloak-js
keycloak-model-storage-services
keycloak-quarkus-server
keycloak-services
kotlin-stdlib
libasound2
libasound2-data
libavahi-client3
libavahi-common-data
libavahi-common3
libc-ares2
libc-bin
libc-dev-bin
libc-l10n
libc6
libc6-dev
libcups2
libfreetype6
libgnutls30
liblcms2-2
libnfsidmap1
libnss-sss
libnss-sudo
libnss3
libpam-sss
libpng16-16
libssl3
libsss-certmap0
libsss-idmap0
libsss-nss-idmap0
libsss-sudo
libtiff6
locales
lodash
lodash-es
loguru
netty-codec
netty-codec-dns
netty-codec-http
netty-codec-http2
netty-handler-proxy
netty-transport-native-epoll
nginx
nginx-common
openjdk-17-jre-headless
openssh-client
openssl
opentelemetry-api
poetry
postgresql
prismjs
python-ldap
python3-ldap
python3-sss
python3-tornado
quarkus-vertx-http
sssd-common
sssd-krb5-common
sssd-ldap
tornado
vertx-core
On this page