Blocklists module

8.1. Blocklists module#

Deployment — Kubernetes & UCS appliance

The blocklist management module appears in both deployments.

Blocklists is a management module that allows to configure block lists for UDM properties. You find the module in the Domain category in the Management UI.

When an administrator or software modifies or removes a UDM property on a UDM object, the block list automatically adds an entry about this property with its value to the block list. The entry in the block list prevents that another UDM object can use the same value of the UDM property. Block lists operate on the UDM level.

For example, you want to prevent that Nubus reuses values of the UDM property mailPrimaryAddress of the UDM objects user. You configure a block list for the UDM property mailPrimaryAddress. If you then remove the value chef@example.com for the UDM property mailPrimaryAddress from a UDM user object, the UDM block list creates an entry for that value. If you change the value from james@example.com to john@example.com for the UDM property mailPrimaryAddress, the UDM block list creates another entries for james@example.com. In the example, UDM block lists prevent reusing the values chef@example.com and james@example.com. You can’t use them on other UDM user objects for the UDM property mailPrimaryAddress.

8.1.1. Activate block lists#

Before you can use Blocklists, you need to activate them.

The UCS systems, where you manage UDM objects, must at least be at version UCS 5.0 erratum 974 or UCS 5.2-0.

To activate block lists, you need to set the UCR variable directory/manager/blocklist/enabled to the value true on all UCS systems, where you manage UDM objects.

Per default, Nubus for Kubernetes has block lists activated.

8.1.2. Configure block lists#

You can create, list, and remove block list entries in the Blocklists management module in the Management UI.

On every block list you need to define the following properties:

Name

Defines a human-readable name for the block list for later identification.

Retention time

Defines the retention time for entries in this block list. The retention time is the time period that needs to expire to automatically remove entries from the block list. For example 1m 20d which results in one month and twenty days.

Properties to block

Defines the UDM modules and their properties that the block list prevents from reuse.

8.1.3. Manage block list entries#

You can manage block list entries in the Blocklists management module.

With activated block lists, UDM automatically creates entries in the configured block list, when you remove a value from a UDM property of a UDM object. UDM automatically deletes expired entries from the block list.

Every block list entry has the following properties:

Value

A SHA-256 hash represents the value that the block list is blocking from reuse. The UDM property value is a clear text value. Before UDM creates the block list entry, it converts the value to lowercase text. All uppercase and lowercase variants of the value then match the block list entry when validated by UDM.

Blocked until

The timestamp when the block list entry expires. It uses the GeneralizedTime-LDAP-Syntax format.

When UDM creates a block list entry, it takes the current date and time, adds the configured retention time of the corresponding block list and writes the result to Blocked until.

Changing the retention time of the block list doesn’t update the Blocked until property of the block list entry.

Origin ID

The ID of the UDM object that caused the block list entry. You can still use the value of the block list entry on this UDM object.

Important

Listing block list entries gives you only the hashes of the blocked values.

Nevertheless, you can search for the clear text value of a particular entry, for example, in case you want to delete that entry. Listing 8.1 shows the commands.

Listing 8.1 Commands to list and search for clear text values#
$ udm blocklists/entry list
DN: cn=sha256:a859cd5964b6ac...,cn=emails,cn=blocklists
DN: cn=sha256:b859cd5964b6ac...,cn=emails,cn=blocklists
DN: cn=sha256:c859cd5964b6ac...,cn=emails,cn=blocklists

$ udm blocklists/entry list --filter value=blocked_email@example.com
DN: cn=sha256:c859cd5964b6ac...,cn=emails,cn=blocklists

Nubus for Kubernetes doesn’t offer the udm command to search for the clear text value of a particular entry.

8.1.4. Expired block list entries#

Every entry in a block list has a Blocked until property. Block list entries expire after the timestamp passed. A cron job on the UCS Primary Directory Node deletes expired block list entries.

You can configure how often cron runs the job with the UCR variable directory/manager/blocklist/cleanup/cron. The log file /var/log/univention/blocklist-clean-expired-entries.log lists the expired entries that UDM deleted.