Table of Contents
With Univention Corporate Server 4.4-3, the third point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
Several details of the Univention Management Console have been improved: The size of the RAM is now already checked during the installation. A new document exists for setting up printer drivers, which is directly linked. Searching for IPv4 addresses and the configuration of mail distribution lists has been simplified.
The Univention S4 connector has received many small improvements, e.g. when renaming host and DNS entries, a fix for account expiry dates in certain time zones, and for exceptional cases when objects are restored in UCS@school environments.
A crash issue in OpenLDAP and a problem when accessing shares with Windows Explorer has been fixed.
Most packages have been converted from python-support to dh_python2 in preparation for the switch from Python 2 to Python 3.
Various security updates have been integrated into UCS 4.4-3, e.g. Samba, the Linux kernel and Dovecot. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-2:
All security updates issued for UCS 4.4-2 are included:
The following updated packages from Debian 9.11 are included (Bug 50559): dpdk, mediawiki, pam-python, redmine, ruby-loofah, symfony, thunderbird
The following packages have been moved to the maintained repository of UCS: novnc (Bug 35428), python-debtcollector (Bug 35428), python-oslo.config (Bug 35428), python-oslo.i18n (Bug 35428), python-rfc3986 (Bug 35428), python-wrapt (Bug 35428), stevedore (Bug 35428), univention-ipcalc (Bug 49135), websockify (Bug 35428)
slapd failed to restart because it incurred a bus error (Bug 49780).
memcached_univention-directory-listener.conf (Bug 48139).
run script (Bug 50110).
DB3 database (Bug 50407).
/usr/lib/python2.7/dist-packages/univention/admin/ (Bug 49147).
/usr/lib/python2.7/dist-packages/univention/management/console/ (Bug 49161).
/usr/lib/python2.7/dist-packages/univention/app_appliance/ (Bug 49128).
univention-l10n-build to build localization files for univention-appcenter (Bug 50340, Bug 49161).
outside (Bug 50203).
TypeError during logging of invalid date values in the UDM REST service (Bug 50476).
/usr/lib/python2.7/dist-packages/univention/admin/ (Bug 49147).
/usr/share/pyshared, like e.g. the mailquota module (Bug 50493).
users/user is now set during the object creation instead of setting it afterwards (Bug 50161).
groups/group and mail/lists have been added to the UDM module mapping (Bug 50239).
users/user filter for disabled and locked properties has been done (Bug 50236).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ ^(Bug 49152, Bug 49161).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49142).
univention-fetch-certificate is used during join (Bug 45115).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49149, Bug 49161).
ldap/database/mdb/maxsize and listener/cache/mdb/maxsize on backup domain controller and slave domain controller systems during the join (Bug 50114).
/usr/lib/python2.7/dist-packages/univention/directory/ (Bug 49148).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49151).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49158).
/usr/lib/python2.7/dist-packages/univention/lib/ (Bug 49138).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49141).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49159).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49165).
/usr/share/univention-management-console-module-udm/ again.
This is necessary for creation of reports and has been broken in UCS 4.4-3 erratum 346 (Bug 50497).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49160).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49154, Bug 49161).
ldap_extension now stores success or error messages in a new LDAP attribute univentionListenerMessage.
These are used in the App center to improve error messages (Bug 50481).
top is now automatically added to the container cn=dns,$LDAP_BASE, when the LDAP is initially provisioned.
Existing systems are not modified (Bug 46649).
set/get_handler_message to store/get listener messages in the LDAP directory (as settings data object) (Bug 50481).
univention.lib.umc_connection (Bug 47205).
/usr/lib/python2.7/dist-packages/univention/updater/ and /usr/lib/python2.7/dist-packages/univention/management/console/modules/updater/ (Bug 49143).
entityID but with the same configuration.
This has been added to use the SAML Identity Provider with multiple Azure domains (Bug 50510).
saml/idpconfig and saml/serviceprovider have been modernized (Bug 50345).
/usr/lib/python2.7/dist-packages/univention/admin/handlers/ (Bug 49167).
saml/idp/negotiate/filter-subnets (Bug 49485).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49163).
/usr/lib/python2.7/dist-packages/univention/mail/ (Bug 49144).
nscd to check for a working nscd by querying its statistics data (Bug 49967).
univention-add-vhost has been added to add (and remove) these virtual hosts (Bug 45115).
Wildcard Certificate is added to a host, a wildcard certificate for that host is created (*.$fqhn) on the master domain controller.
A new tool univention-fetch-certificate has been added to simplify the download of certificates from the master domain controller (Bug 45115).
/usr/lib/python2.7/dist-packages/univention/uvmm/ (Bug 49157, Bug 49161).
/usr/lib/python2.7/dist-packages/univention/uvmm/ (Bug 49156, Bug 49161).
/usr/lib/python2.7/dist-packages/univention/uvmm/ (Bug 49179).
/usr/lib/python2.7/dist-packages/univention/admin/ (Bug 49181).
/usr/lib/python2.7/dist-packages/univention/management/console/modules/ (Bug 49150).
container/msgpo, settings/msprintconnectionpolicy and settings/mswmifilter have been modernized (Bug 50342).
normalise_userAccountControl() has been replaced in mapping.py with a static mapping (Bug 50305).
connector/debug/udm/level (Bug 43096).