Table of Contents
With Univention Corporate Server 4.0-3, the third point release of Univention Corporate Server (UCS) 4.0 is now available. It provides various improvements and bugfixes. An overview of the most important changes:
The mail server Dovecot has been integrated as standard IMAP/POP3 server into UCS and offers an alternative to the still available Cyrus IMAP server. More information is available in this blog article.
The compatibility to Active Directory has been improved with the Samba update to 4.2.3. This includes, among others, improvements in the DRS replication and the printer driver handling. In addition, the join of Huawai storage systems in the Active Directory domain provided by UCS is now also possible.
Several enhancements in design and usability of the Univention Management Console have been implemented. For example, it is now possible to use the forward and back buttons of the web browser. This allows a simpler and faster navigation in the management interface.
LDAP filters can now be defined for LDAP policies. That means the LDAP policy applies only to the objects that match the LDAP filter. This makes it possible to use LDAP policies in an easy and generic way especially in large environments.
The Linux kernel has been updated to the latest stable version of the 3.16 longterm kernel. This includes several security updates as well as new and updated drivers for a better hardware support.
All security updates released for UCS 4.0-2 are included in this update. It is now also possible to redirect all HTTP requests to HTTPS by only setting an Univention Configuration Registry variable. This increases the security of the UCS system.
During the update some services in the domain may not be available, i.e. the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update takes between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated on all the remaining LDAP servers of the UCS domain. As changes to the LDAP schemes can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0 UCS, installation DVDs are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVDs. The 32 bit architecture will be supported over the entire UCS 4 maintenance.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6 GB of disk space. Depending on the scope of the existing installation, the update will require about another 2 GB of disk space for downloading and installing all packages.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being cancelled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues despite disconnection from the network.
This can be done, e.g., using the tools screen and at. These tools are installed on all system roles by default.
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
The profile-based UCS network installation is available with UCS 4.0-2. Further details are described in [ext-doc-inst].
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition version of UCS (which is generally used for evaluating UCS). The modules opened are logged in an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered with security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 33
Firefox as of version 24
Internet Explorer as of version 9
Safari and Safari Mobile as of version 7
Users with older browsers may experience display or performance problems.
Listed are the changes since UCS 4.0-2:
All security updates issued for UCS 4.0-2 are included:
msgpo.schema file introduced as a fix for Bug 38488 has been removed again (Bug 38566).
ldap/server/addition has been improved (Bug 38094).
ldap/server/addition is used to configure additional LDAP servers in case the primary LDAP server is unavailable. The setting can be configured through a UMC policy 'LDAP server'.
Previously the so configured value was written into the NORMAL layer of the Univention Configuration Registry, which overwrote any setting configured by the user. The value is now written into the LDAP layer, which has a higher priority
than the NORMAL layer and thus overrules any local configuration, but preserves the user configured setting. The value can still be overwritten locally by using the FORCED layer of UCR, e.g. ucr set --force ldap/server/addition=....
Setting the UCR variable through a UMC policy 'Univention Configuration Registry' is not recommended and will clash with the 'LDAP server' policy (Bug 38094).
ldap/tls/ciphersuite and ldap/tls/minprotocol to configure the allowed ciphers and the minimum requires TLS version. By default 'RC4', 'NULL' and 'SSLv3' are now disabled (Bug 38685).
ldap/tls/dh/... (Bug 38685).
univentionPolicy objects (Bug 36255).
Packages files are now handled (Bug 38112).
univention-upgrade to upgrade apps (Bug 38697).
policies/mailquota has been moved to the package univention-mail-cyrus. From now on the module will only be available if the UCS domain contains an UCS system with installed Cyrus mail stack (Bug 38473).
directory/manager/web/modules/users/user/add/default. The variable expects the DN or the label of a user template (Bug 38832).
mail/cyrus/auth/allowplaintext to (dis)allow plain text passwords over non-TLS connections has been added. The variable defaults to no.
This changes the previous default behaviour! Plain text authentication over unencrypted connections is now disabled by default. To revert to the old behaviour set mail/cyrus/auth/allowplaintext=yes resp. mail/dovecot/auth/allowplaintext=yes (Bug 38500).
policies/mailquota has been moved to the package univention-mail-cyrus. The UDM module will only be available if the UCS mail stack with Cyrus is installed (Bug 38473 Bug 39004).
mail/antivir/max_servers. When unset, the current default 2 is used (Bug 37653).
mail/postfix/smtpd/restrictions/sender/reject_unknown_client_hostname and mail/postfix/smtpd/restrictions/sender/reject_unknown_reverse_client_hostname for weaker and stricter reverse DNS checking respectively (Bug 38292).
check_univention_ldap plugin has been modified to use the FQDN of the LDAP server (Bug 27043).
BACKUPKEY serverwrap protocol may cause problems with retrieving saved passwords on Windows clients (DPAPI). This issue has been fixed (Bug 39025).
dns/host_record (Bug 39077).
The following packages have been added to the maintained package repository (Bug 37972, Bug 38628):
[ext-doc-inst] Univention GmbH. 2014. Extended installation documentation. http://docs.univention.de/installation-4.0.html.