Table of Contents
With Univention Corporate Server 4.4-1, the first point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
By configuring stylesheets, the look and feel of the login and self-service websites can be customized.
There are significant performance improvements of the Directory Manager in environments with extensive LDAP structures.
A new feature in the App Center gives hints for additional apps, based on the apps already installed in the environment.
A beta version of the new UDM Rest API has been released.
The source code of some UCS packages has been adapted for future migration to Python 3.
Various security updates have been integrated into UCS 4.4-1, e.g. Samba, the Linux kernel and Dovecot. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs http://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Due to a design flaw in the Univention Directory Notifier network protocol version 2 any user can retrieve information about changes to the LDAP directory.
A new protocol version 3 was implemented with UCS 4.3-3 erratum 427.
For backward compatibility with old UCS systems the Univention Directory Notifier still provided version 2 by default.
For new installations starting with UCS-4.4 only version 3 is enabled by default.
Protocol version 2 can be re-enabled by changing the Univention Configuration Registry variable notifier/protocol/version to 2 and restarting the Univention Directory Notifier.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-0:
All security updates issued since UCS 4.4-0 are included:
The following packages have been moved to the maintained repository of UCS: numad (Bug 47574), python-setproctitle (Bug 49176), configparser (Bug 49588)
ldap/sizelimit, which defaults to 400k.
This is not enough for univention-translog prune.
Remove the limit for searches connecting via ldapi:///. (Bug 49505)
slaptest for LDAP schema checking in the ldap_extension module. (Bug 49596)
/etc/ldap/rootpw.conf) used for LDAP replication to improve security against brute force attacks. (Bug 48606)
univention-ldapsearch appends the argument -o ldif-wrap=no now. (Bug 48683)
resync_objects.py helper script now respects the configured local LDAP port. (Bug 49228)
cn=translog setup, which reset the LDAP indexes. (Bug 48971)
/var/lib/univention-ldap/notify/transaction and the cn=translog database in OpenLDAP.
A failed write to the later can make UDN abort, in which case UDN is restarted automatically and writes the pending transactions to said file again.
This leads to inconsistency.
The order has been swapped to prevent this issue from happening again.
The transaction file might require manual corrections if UDN fails to start up properly. (Bug 49198)
univention-translog check --fix command to check (and fix) inconsistency between the files /var/lib/univention-ldap/notify/transaction, /var/lib/univention-ldap/notify/transaction.index, /var/lib/univention-ldap/listener/listener, and /var/lib/univention-ldap/last_id. (Bug 49201)
Implement command univention-translog prune to prune old transactions from the transaction file and database.
This can be used to save space.
This procedure is dangerous and should ONLY be executed if ALL Univention Directory Listener (UDL) in the domain have processed all previous transactions.
Otherwise the UDLs will no longer be able to process transactions and affected systems must be re-joined!
Systems, which have not been running for some time or are restored from backup, must also be re-joined if their last processed transaction is no longer part contained in the purged translog. (Bug 48729)
/umcp/ to access UMC backend has been removed. (Bug 49639)
/usr/share/univention-management-console-login/css/custom.css. (Bug 49436)
umc/web/sso/enabled. (Bug 48224)
univention-portal-server has been increased. (Bug 49526)
univention-portal-server is reloaded after a server password rotation. (Bug 49746)
92univention-management-console-web-server.inst (Bug 48198)
ldapError: Insufficient access.
This has been fixed by ensuring a new connection is used after LDAP connection problems. (Bug 46089)
docker/daemon/default/opts/log-driver (default json-file) and docker/daemon/default/map/log-opt (default max-file=4,max-size=10m). (Bug 47416)
dpkg lock before attempting to install database software packages.
If starting the database service fails anyway, we now send more verbose information. (Bug 48669)
machine.secret could not be copied into container. (Bug 49543)
admindiary.client.write_event() in univention-updater occurring in Docker containers during docker build. (Bug 49056)
computers/* UDM handlers now share a common base class.
Code redundancy has therefore been reduced. (Bug 41659)
univentionPolicyReference is now removed from objects when the last policy is dereferenced. (Bug 46466)
lookup() method. (Bug 49638)
users/user UDM module now uses the LDAP filter univentionObjectType=users/user when searching for objects to increase performance. (Bug 48390)
udm users/user create without --set username does not cause a exception anymore. (Bug 48441)
mountpoint, a quota policy that had a value of zero (meaning no quota is enforced) would overwrite smaller quota policies.
This behavior has been changed to always choose the smallest value. (Bug 48000)
debug2.py again with C-version debug.py. (Bug 46100)
function class in favor of trace decorator. (Bug 43422)
univention.uldap.access.search() methods. (Bug 49638)
/usr/lib/python2.7/dist-packages/univention/. (Bug 49140)
unknownClients from the UMC policy DHCP Scope is no longer applied to a DHCP pool statement.
This is not allowed by the syntax of the DHCP daemon. (Bug 20222)
/var/spool/dovecot/private/ by unsuccessful login attempts of users without a primary mail address. (Bug 49038)
mail/dovecot/ssl/sni/$fqdn/certificate=$path_to_certificate and mail/dovecot/ssl/sni/$fqdn/key=$path_to_certificate_key (Bug 48485)
saml/idp/session-duration.
With this update, the default value for a SAML session is raised from 8 to 12 hours. (Bug 49503)
/usr/share/univention-management-console-login/css/custom.css. (Bug 49436)
Self Service-App not working when the Univention Configuration Registry variable umc/self-service/profiledata/enabled is set to false. (Bug 45041)
Self Service-App can now be styled via the /var/www/univention/self-service/css/custom.css CSS file. (Bug 49343)
/etc/cups/cupsd.local.conf is applied again.
Since UCS 4.3 erratum 149 the cups Include directive has been removed.
Changes in the /etc/cups/cupsd.local.conf configuration require a ucr commit /etc/cups/cupsd.conf now. (Bug 48437)
cn=translog database has been added. (Bug 48422)
univention-directory-listener database has been added.
To apply it on a slave domain controller, backup domain controller or member server execute: univention-run-join-scripts --force --run-scripts 30univention-nagios-client.inst (Bug 48617)
select() exception. (Bug 49403)
host-model does not survive the creation of snapshots or suspend to disk and gets rewritten to the concrete CPU model of the host system.
This has been fixed.
Old snapshots created and domains suspended before this erratum might fail to start, in which case the CPU configuration must be manually removed from the XML description using virsh snapshot-edit or virsh save-image-edit respectively. (Bug 49425)
samba-tool ntacl sysvolcheck to reduce reporting false positives.
This can be run by using new option --mask-msad-differences.
Without the new option the reporting is unchanged.
This is another step in the ongoing quest of improving the quality this tool for NTACL inheritance. (Bug 46643)
sysvol synchronization. (Bug 48917)
dns_update_list and spn_update_list. (Bug 49025)
univention-samba4-backup fails, cron will automatically send system-mails to root. (Bug 49399)
lockingdb and s4cache during re-join (Bug 40773)
connector-s4.log which is hard to scroll.
The log volume of the group cache init has been lowered to log level ALL. (Bug 48364)
remove_ucs_rejected.py and remove_s4_rejected.py now escapes SQL syntax. (Bug 49445)
sync_to_ucs for machine accounts. (Bug 49649)
/usr/lib/python2.7/dist-packages/univention/s4connector/. (Bug 49176)
univention-s4-connector has been enhanced. (Bug 49176)
connector/s4/mapping/ignoresubtree/. (Bug 47008)
version/erratalevel to 0 (Bug 48654).
getRootDnConnection() has been fixed. (Bug 49024)
cn=monitor can now be extended via Univention Configuration Registry variables. (Bug 49387)
ldap/create-ldap-server-policy. (Bug 49386)
stderr if LDAP schema validation fails. (Bug 49500)
ldap_extension.py listener utilities has been fixed. (Bug 41780)
univention-policy-update-config-registry now has a new option to specify the LDAP server from which to get the policies. (Bug 35208)
rsyslog remote servers can now be specified in the Univention Configuration Registry variable syslog/remote. (Bug 48508)
systemd service timeout for mysqld configurable via the Univention Configuration Registry variable mariadb/startup/timeout. (Bug 46901)
computers/domaincontroller_master objects can now be configured.
During the upgrade every default container for computer objects are set as default container for computers/domaincontroller_master except cn=computers and cn=memberservers,cn=computer. (Bug 46919)
.debian. (Bug 49441)
debian/ucslint.overrides when used with paths. (Bug 49520)