Table of Contents
With Univention Corporate Server 4.4-2, the second point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
The UDM REST API is included for the first time as a stable release and is activated on all DC Master and DC Backup instances. More information can be found in an article about the API and the UCS 4.4-1 release notes.
Improvements in error handling for license generation during initial configuration.
In UCS Virtual Machine Manager (UVMM) the automatic start for instances and the virtual CPU type can be configured.
With the update of the Docker Engine App maintainers get more possibilities by supporting additional features in the Docker Compose files.
With 4.4-2 the update to Debian point release 9.11 is completed.
Various security updates have been integrated into UCS 4.4-2, e.g. Samba, the Linux kernel and Dovecot. A complete list of security and package updates is available in Chapter 6.
Various additional attributes have been added to the synchronization between UDM/OpenLDAP and Samba/AD user objects (unixhome, employeeType, employeeNumber, loginShell, title, gidNumber, uidNumber, departmentNumber, roomNumber, jpegPhoto, userCertificate, initials, physicalDeliveryOfficeName, postOfficeBox, preferredLanguage).
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
The following properties have been added to the UDM module users/user: initials,
postOfficeBox, preferredLanguage, physicalDeliveryOfficeName,
preferredDeliveryMethod. Any extended attribute for those properties should be changed to use the same
property name as the UDM CLIName.
Due to a design flaw in the Univention Directory Notifier network protocol version 2 any user can retrieve information about changes to the LDAP directory.
A new protocol version 3 was implemented with UCS 4.3-3 erratum 427.
For backward compatibility with old UCS systems the Univention Directory Notifier still provided version 2 by default.
For new installations starting with UCS-4.4 only version 3 is enabled by default.
Protocol version 2 can be re-enabled by changing the Univention Configuration Registry variable notifier/protocol/version to 2 and restarting the Univention Directory Notifier.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-1:
All security updates issued for UCS 4.4-1 are included:
The following updated packages from Debian 9.11 are included (Bug 50211): base-files, basez, biomaj-watcher, bird, bogl, chaosreader, c-icap-modules, corekeeper, dansguardian, dar, debian-archive-keyring, debian-installer-netboot-images, debian-installer, dosbox, fence-agents, fig2dev, fribidi, fusiondirectory, gettext, gocode, groonga, gsoap, gthumb, havp, icu, koji, lemonldap-ng, libclamunrar, libconvert-units-perl, libdatetime-timezone-perl, libevent-rpc-perl, libgovirt, librecad, libsdl2-image, libthrift-java, libtk-img, libu2f-host, linux-latest, liquidsoap, llvm-toolchain-7, minissdpd, miniupnpd, mitmproxy, monkeysphere, nasm-mozilla, ncbi-tools6, neovim, nginx, node-growl, node-ws, opendmarc, openssh, open-vm-tools, passwordsafe, pound, prelink, python-clamav, redis, reportbug, resiprocate, ruby-mini-magick, sash, signing-party, slurm-llnl, t-digest, tenshi, thunderbird, tzdata, usbutils, xymon, yubico-piv-tool, z3, zfs-auto-snapshot, zsh
The following packages have been moved to the maintained repository of UCS: python-concurrent.futures (Bug 49973), python-mimeparse (Bug 49973), python-uritemplate (Bug 50034)
univention-service files to be not installed any more (Bug 50098).
SuggestionBox widget (Bug 48811).
univention-service file to be not installed any more (Bug 50169).
docker-compose file (Bug 50030).
appcenter/docker/compose/network, which defaults to 172.16.1.1/16.
This change takes effect with new App installations (Bug 49055).
IStates, AllowDeny, AppActivatedOK, AppActivatedTrue, OkOrNot, TrueFalse, TrueFalseUp, TrueFalseUpper, booleanNone and ddnsUpdates now correctly validate input values (Bug 40731).
users/user properties departmentNumber and roomNumber have been changed to be multi-value, as allowed in the LDAP schema.
This change has been made to support synchronization with Samba/AD (Bug 49092).
users/user: initials, postOfficeBox,
preferredLanguage, physicalDeliveryOfficeName, preferredDeliveryMethod.
The UDM module users/user has been prepared for adding the following properties: st (state) and c (country).
Any extended attribute for those properties should be changed to use the same property name as CLIName (Bug 49092).
combobox syntax class has been added (Bug 48811).
container/ou objects has been fixed (Bug 49478).
_apt to fix an error with the Acquire::GzipIndexes=true option set for apt (Bug 49799).
univention-service file to be not installed any more (Bug 50169).
SuggestionBox has been added to the mapping of syntax classes (Bug 48811).
60univention-ldap-server_acl-slave into 60univention-ldap-server_acl-slave and 70univention-ldap-server_acl-slave-end.
The rule which allows read access for every user to every object is contained in the later one.
This increases security for templates which are installed on the DC Master and DC Slaves where the same behavior is now present (Bug 49734).
uldap.py utilities (Bug 47926).
univention-service definition has been corrected and split into two services for PostgreSQL 9.4 and PostgreSQL 9.6 (Bug 42241).
mail/dovecot/ssl/cafile (Bug 50105).
pam_krb5 now strips passwords at 1024 characters.
This prevents denial of service attacks when authenticating with very long passwords when pam_krb5 would hang in the hash generation of the password (Bug 49740).
pam_unix now strips passwords at 512 characters.
This prevents denial of service attacks when authenticating with very long passwords when pam_unix would hang in the hash generation of the password.
https://github.com/linux-pam/linux-pam/issues/118 (Bug 49741).
systemd by default.
It can be re-enabled by setting the Univention Configuration Registry variable pam/session/systemd to true (Bug 49910).
ldap-group-to-file.py has been implemented so that it is ensured the process only runs once at a time (Bug 35173).
appcenter/docker/compose/network is now included in the firewall rules;
MySQL connections are allowed from this subnet.
It is used by the App Center when installing certain Apps (Bug 49055).
uvmm/profile (Bug 49695).
univention-service file to be not installed any more (Bug 50098).
/etc/univention/connector/s4/localmapping.py is now included in mapping.py to allow adjusting the mapping dynamically.
It may contain a Python function mapping_hook(s4_mapping) which can return a modified mapping (Bug 48410).
sync_krbgt script (Bug 36633).
connector/s4/mapping/user/attributes/ignorelist.
The synchronization of these attributes is deactivated for updates.
? character in their DN could not be synchronized due to a decoding error.
The synchronization works now (Bug 49865).
remove_ucs_rejected.py has been repaired.
It has been broken via UCS 4.4-2 erratum 155 (Bug 26501).