Table of Contents
With Univention Corporate Server 4.4-5, the fifth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
The replication of groups with many members has been greatly accelerated.
The permission to use services connected via SAML can now be configured for groups, previously the setting could only be set per user. In addition, a mapping of UCS LDAP attribute names to attribute names expected by the connected application can now be configured in the UMC for services connected via SAML.
An update for the OpenID Connect Provider allows that logins to the SAML Identity Provider are also valid for OpenID Connect. The Single Sign-On in UCS thus works across standards.
The User Self-Service has a new configurable feature that allows users to create and delete their own account in UCS. User accounts must be confirmed by clicking on an activation link in an e-mail before they can be used for the first time. Administrators can define which attributes users must specify during registration.
Various security updates have been integrated into UCS 4.4-5, e.g. Samba, OpenLDAP, the Linux kernel and PHP. A complete list of security and package updates is available in Chapter 6.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.
If the update to UCS 4.4-5 aborts, the file /var/log/univention/updater.log should be checked for the following error.
**** Downloading scripts at Thu Jun 25 11:34:04 2020 Error: Update aborted due to verification error: Verification error: Invalid signature: gpgv: keyblock resource '/etc/apt/trusted.gpg': \ File or directory not found
If the error appears in the logfile, all available errata updates should be installed, before starting another release update to UCS 4.4-5 (Bug 51576).
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.
Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}
# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command
univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 71
Firefox as of version 60
Safari and Safari Mobile as of version 12
Microsoft Edge as of version 18
As of this release Internet Explorer is not supported by Univention Management Console anymore.
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 4.4-4:
All security updates issued for UCS 4.4-4 are included:
The following updated packages from Debian Stretch 9.12 are included (Bug 51554): mailman, mutt, mysql-connector-java, netqmail, qbittorrent, roundcube, salt, thunderbird, tomcat8, wordpress
The following packages have been moved to the maintained repository of UCS: univention-debhelper (Bug 51374)
univention.config_registy.interfaces for Python 3 compatibility (Bug 51021).
/usr/share/univention-LDAP-overlay-memberof/univention-update-memberof should be called once on every UCS domaincontroller (Bug 46590).
dns/backend not to use "LDAP" on UCS domain controller systems running Samba4 (Bug 50501).
dns/timeout-start (Bug 50662).
server/password/interval, the UDM REST API refused to deliver an openapi.json file and disallows further logins (Bug 50708).
ucs/server/sso/fqdn (Bug 51211).
umc/http/content-security-policy/.* and umc/login/content-security-policy/.* Univention Configuration Registry variables. The X-Frame-Options default header has been replaced with the Content-Security-Policy frame-ancestor setting (Bug 51211).
umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
meta.json now contains more variables for the self service pages (Bug 51001).
/etc/apt/apt.conf.d/80proxy from the UCS host read-only to the container with the name /etc/apt/apt.conf.d/81proxy (Bug 51034).
UDP ports in docker compose file has been added (Bug 51069).
__getitem__() (Bug 51193).
http and https connections. They are applied to the Univention Configuration Registry variables proxy/http and proxy/https. Previously, only proxy/http was used (Bug 50613).
ABI Version 1.5.8 for the samba update (Bug 51532).
/etc/freeradius/ssl are now also checked by the diagnostics module. Permissions for that path should be 2755 (Bug 50887).
uLDAP methods __getstate__(), __setstate__() and parentDn() (Bug 51193).
univention.lib Python modules are now Python 3 compatible (Bug 51592).
/etc/systemd/system/docker.service.d/http-proxy.conf the UCR variable proxy/no_proxy is considered for the docker proxy settings (Bug 51031).
saml/apache2/content-security-policy/. UCR variables (Bug 51211).
umc/self-service/passwordreset/{blacklist,whitelist}/{users,groups} UCR variables but the umc/self-service/profiledata/{blacklist,whitelist}/{users,groups} and umc/self-service/account-deregistration/{...} UCR variables respectively (Bug 51259).
umc/self-service/content-security-policy/.* UCR variables (Bug 51211).
umc/self-service/account-deregistration/enabled UCR variable (Bug 51110).
/etc/samba/base.conf (Bug 51212).
ABI Version 1.5.8 for the samba update (Bug 51532).
connector/ad/poll/profiling (Bug 51518).
connector/ad/mapping/attributes/irrelevant (Bug 18501).
ldap/logging/id-prefix=yes to enable this feature manually (Bug 51082).
univention-archive-key-ucs-5x.gpg for UCS 5 and remove expired key univention-archive-key-ucs-3x.gpg from UCS-3 (Bug 51250).
debian/*.pyinstall files to install Python modules (Bug 51106).
custom_{user,group}name() registering for required UCR variables (Bug 50056).
Essential:yes packages (Bug 51476).
uLDAP.searchDn() (Bug 51375).
debian/*.{pre,post}{inst,rm} are now checked for handling wrong actions (Bug 43981).
Unjoin-script files are now checked for errors, too (Bug 48747).
debian/changelogi file is checked for strict-monotonic entries. In the past this has lead to surprising update results as the timestamp of the latest entry is used for many things during the package build (Bug 49620).
debian/*.ucs files are checked more strictly due to the switch to Python 3. For example duplicate keys are now errors (Bug 49683).
debhelper related files in debian/ are recognized (Bug 51246).
debian/*.dirs is now checked for unneeded entries which are already created indirectly by other steps (Bug 51247).
debian/compat is now checked for consistency with the declared versioned build dependency of debhelper in debian/control (Bug 51248).
debhelper scripts has been added (Bug 51235).
LDAP/overlay/memberof/ before system is joined (Bug 47641).