UCS 4.4 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 4.4-8


Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS installation DVD only available for 64 bit
3. Preparation of update
4. Postprocessing of the update
5. Notes on selected packages
5.1. Collection of usage statistics
5.2. Scope of security support for WebKit, Konqueror and QtWebKit
5.3. Recommended browsers for the access to Univention Management Console
6. Changelog
6.1. General
6.2. Basic system services
6.2.1. Univention Configuration Registry
6.2.1.1. Changes to templates and modules
6.2.2. Boot Loader
6.3. Domain services
6.3.1. OpenLDAP
6.3.1.1. Listener/Notifier domain replication
6.4. Univention Management Console
6.4.1. Univention Management Console web interface
6.4.2. Univention Portal
6.4.3. Univention Management Console server
6.4.4. Univention App Center
6.4.5. Univention Directory Manager UMC modules and command line interface
6.4.6. Other modules
6.5. Software deployment
6.6. System services
6.6.1. Docker
6.6.2. SAML
6.6.3. Univention self service
6.6.4. Postfix
6.6.5. Spam/virus detection and countermeasures
6.6.6. Printing services
6.6.7. Nagios
6.6.8. Apache
6.6.9. Proxy services
6.6.10. Kerberos
6.6.11. Other services
6.7. Virtualization
6.7.1. UCS Virtual Machine Manager (UVMM)
6.8. Services for Windows
6.8.1. Univention S4 Connector
6.8.2. Univention Active Directory Connection
6.9. Other changes

§Chapter 1. Release Highlights

With Univention Corporate Server 4.4-8, the eighth point release of Univention Corporate Server (UCS) 4.4 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:

  • The performance of the UMC web server in large environments with many requests has been improved by allowing the web server to be started with multiple processes to use multiple CPU cores. For this purpose, the UMC web server has been changed from single- to multiprocessing. The number of processes is configurable.
  • Various improvements have been made in preparation for UCS 5.0. Among other things, the UCS upgrade is blocked if installed apps are not yet available under UCS 5.0.
  • The S4 Connector now also synchronizes the gidNumber attribute for group objects.
  • Various security updates have been integrated into UCS 4.4-8, for example for PostgreSQL, Samba, the Linux Kernel and MariaDB.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours.

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the master domain controller and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the master domain controller must always be the first system to be updated during a release update.

§2.2. UCS installation DVD only available for 64 bit

Starting with UCS 4.0, installation DVD are only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS 3 systems can still be updated to UCS 4.0 through the online repository or by using update DVD. The 32 bit architecture will be supported over the entire UCS 4 maintenance period.

§Chapter 3. Preparation of update

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 10 GB of disk space. The update requires approximately 4 GB additional disk space to download and install the packages, depending on the size of the existing installation.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools screen and at. These tools are installed on all UCS system roles by default.

Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.

# download
curl -OOs https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-4.4{,.gpg}

# run script
gpgv --keyring /usr/share/keyrings/univention-archive-key-ucs-4x.gpg \
        pre-update-checks-4.4.gpg pre-update-checks-4.4 && bash pre-update-checks-4.4

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Chapter 4. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 5. Notes on selected packages

§5.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§5.2. Scope of security support for WebKit, Konqueror and QtWebKit

WebKit, Konqueror and QtWebKit are shipped in the maintained branch of the UCS repository, but not covered by security support. WebKit is primarily used for displaying HTML help pages etc. Firefox should be used as web browser.

§5.3. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 71

  • Firefox as of version 60

  • Safari and Safari Mobile as of version 12

  • Microsoft Edge as of version 18

As of this release Internet Explorer is not supported by Univention Management Console anymore.

Users running older browsers may experience display or performance issues.

§Chapter 6. Changelog

Listed are the changes since UCS 4.4-7:

§6.1. General

§6.2. Basic system services

§6.2.1. Univention Configuration Registry

§6.2.1.1. Changes to templates and modules

  • Fix a Python 3 compatibility error in the Univention Configuration Registry template for /etc/hosts (Bug 52919).

§6.2.2. Boot Loader

  • The generated /boot/grub/grub.cfg is compatible with the upgrade to UCS 5 (Bug 53117).

§6.3. Domain services

§6.3.1. OpenLDAP

  • Support for the password scheme bcrypt has been added. The Univention Configuration Registry variable ldap/pw-bcrypt has been added to activate the module bcrypt in OpenLDAP (Bug 52693).
  • From now on SHA-512 hashes are used for the LDAP service accounts admin and backup (Bug 52696).

§6.3.1.1. Listener/Notifier domain replication

  • The notifier sometimes did not recognize a transaction until the next one occurred. Two causes for this behavior have been fixed (Bug 51804).

§6.4. Univention Management Console

§6.4.1. Univention Management Console web interface

  • A cross site scripting vulnerability in the Univention Management Console menu has been fixed (Bug 52665).
  • Package version bump to ensure package update will be done in all scenarios (Bug 52371).
  • The OpenAPI schema has been adjusted to be compliant: The example property of parameters has been removed as it conflicts with examples (Bug 52862).
  • The OpenAPI schema of the UDM REST API now contains 201 as additional possible status code for modify operations. It is returned in case an object was moved (Bug 52725).
  • The OpenAPI schema of the UDM REST API now returns 200 as status code for the retrieval of object creation templates (Bug 52723).

§6.4.2. Univention Portal

  • Fetching of user information is now done against the Apache HTTP interface instead of directly against the UMC web server (Bug 52293).

§6.4.3. Univention Management Console server

  • Fix translation of a pwdQuality related error message which led to German/English mix in Univention Management Console (Bug 52198).
  • The Univention Configuration Registry variable pam/krb5/ticket_after_pwchange has been added to restore the default behavior of the PAM module krb5. See https://help.univention.com/t/17403 for more information (Bug 52188).
  • A KeyError is prevented when a session timer has already been removed (Bug 52535).
  • The evaluation of disallow option pattern in the ACL definitions has been repaired (Bug 25197).
  • A crash of the Univention Management Console server has been fixed (Bug 52699).
  • A cross site scripting vulnerability has been fixed (Bug 52665).
  • The Python Notifier implementation is used (among others) by the Univention Management Console server to handle the communication between the main server process and the UMC module processes. If any UMC module process fails to start within a few seconds the module process is forcefully terminated by the server process. Under high load a fallback implementation is invoked to terminate all child processes, which sometimes is too eager and kills unrelated processes using `python2.7. This included UCS services like UCS Virtual Machine Manager, UMC server, UMC web server, UMC REST API, UCS Portal server and Univention S4 connector. The broken fallback mechanism has been disabled and removed (Bug 52518).
  • The fix addresses a memory leak in univention-management-console-server which was introduced in erratum UCS 4.4-8 erratum 848. In addition, a log message was moved from the process to the info log level (Bug 52508).
  • UMC now shows a banner to the upcoming Univention Summit 2021 once (Bug 52499).
  • The removal of sessions has been optimized (Bug 52273).
  • The UMC web server is now multiprocessing capable (Bug 52293).
  • Data stored for outstanding SAML queries are now removed when a SAML response is received (Bug 52444).
  • SAML identities are now cached in a BDB database instead of in memory (Bug 52442).
  • Expired sessions are now removed from the SAML cache (Bug 52443).
  • The UMC server is now multiprocessing capable (Bug 52371).

§6.4.4. Univention App Center

  • Fix traceback when using Univention App Center once App ini file with install permissions is present in cache (Bug 52852).
  • The app parameter DockerScriptInit can now be configured via Univention Configuration Registry (Bug 52839).
  • The LDAP ACL UCR templates now have valid Python 3 syntax for compatibility with the UCS 5.0 update (Bug 52815).
  • The new subcommand update-check has been added to univention-app to check whether an UCS update with the currently installed Apps is possible (Bug 52771).
  • To reduce the risk of problems during the upgrade of apps an unnecessary second call of docker.pull has been removed (Bug 52456).

§6.4.5. Univention Directory Manager UMC modules and command line interface

  • Changing the user password via UMC if bcrypt is activated is now possible (Bug 52832).
  • Support for bcrypt user password hashes has been added to the UDM. bcrypt can be activated with the Univention Configuration Registry variable password/hashing/bcrypt (default: false). The bcrypt cost factor and variant can be configured with the Univention Configuration Registry variables password/hashing/bcrypt/cost_factor (default: 12) and password/hashing/bcrypt/prefix (default: 2b) (Bug 52693).
  • The argument --remove-option of the UDM CLI command create has been repaired (Bug 52576).

§6.4.6. Other modules

  • The Python Notifier implementation is used (among others) by the Univention Management Console server to handle the communication between the main server process and the UMC module processes. If any UMC module process fails to start within a few seconds the module process is forcefully terminated by the server process. Under high load a fallback implementation is invoked to terminate all child processes, which sometimes is too eager and kills unrelated processes using `python2.7. This included UCS services like UCS Virtual Machine Manager, UMC server, UMC web server, UMC REST API, UCS Portal server and Univention S4 connector. The broken fallback mechanism has been disabled and removed (Bug 52518).
  • The timer is now using a monotonic clock so that system time adjustments do not affect the timer execution (Bug 52273).
  • A cross site scripting vulnerability has been fixed in univention-management-console-module-passwordchange (Bug 52665).

§6.5. Software deployment

  • The univention-updater UCR templates now have valid Python 3 syntax for compatibility with the UCS 5.0 update (Bug 52813).
  • The univention-updater now checks if the locally installed apps are available for the next UCS version (Bug 52771).
  • The univention-updater now supports updating to UCS 5, once it is released (Bug 51865).

§6.6. System services

§6.6.1. Docker

  • The new Univention Configuration Registry variable docker/daemon/default/opts/registry-mirrors can be used to define custom registry mirrors for the docker daemon. It is also possible now to configure arbitrary JSON encoded data, which gets mixed into the Docker daemon configuration file /etc/docker/daemon.json via the Univention Configuration Registry variable docker/daemon/default/json (Bug 52344).
  • Add system call statx to docker seccomp profile (Bug 52478).

§6.6.2. SAML

  • This is a new upstream version of stunnel4 (Bug 52196).
  • A watchdog service univention-stunnel4-watchdog has been added, which restarts the stunnel4 service, if it does not respond any more, but is marked as active. This can be activated by setting the Univention Configuration Registry variable ucs/server/sso/stunnel4/watchdog/active=true and restarting the service univention-stunnel4-watchdog (Bug 52196).
  • Package version bump to ensure package update will be done in all scenarios (Bug 52371).
  • The memory consumption of python-pysaml2 has been optimized (Bug 52466, Bug 52467).

§6.6.3. Univention self service

  • ucsversionstart and ucsversionend is now set during registering of the LDAP ACL extension. This is required for the upgrade to UCS 5 (Bug 52955).

§6.6.4. Postfix

  • The default Postfix version compatibility level was raised from 2 to 3 (Bug 46895).

§6.6.5. Spam/virus detection and countermeasures

  • A unjoin script has been added (Bug 52962).

§6.6.6. Printing services

  • The UCR templates are now compatible with Python 3 for the UCS 5.0 upgrade (Bug 52814).

§6.6.7. Nagios

  • A unjoin script for univention-nagios-dansguardian has been added (Bug 52962).
  • Univention Configuration Registry variables are now unset on package removal (Bug 52980).

§6.6.8. Apache

  • Package version bump to ensure package update will be done in all scenarios (Bug 52371).

§6.6.9. Proxy services

  • The UCR templates are now compatible with Python 3 for the UCS 5.0 upgrade (Bug 52814).

§6.6.10. Kerberos

  • The behavior of the PAM module krb5 has been changed. From now on the module no longer tries to obtain a new ticket after a password change (as this is error prone due to timing issues in the password synchronization). The old behavior can be restored by setting the Univention Configuration Registry variable pam/krb5/ticket_after_pwchange=true (sets the ticket_after_pwchange flag in the PAM configuration). See https://help.univention.com/t/17403 for more information (Bug 52188).
  • Version number has been increased to restart the heimdal-kdc. This is necessary to allow for the mspwdpolicy feature to work correctly (Bug 52198).
  • More specific error messages are passed through from heimdal to Univention Management Console in case of a failed pwdQuality check (Bug 52198).

§6.6.11. Other services

  • Univention Configuration Registry variables are now unset on package removal (Bug 52981).

§6.7. Virtualization

§6.7.1. UCS Virtual Machine Manager (UVMM)

  • Restore schema file system path to /usr/share/univention-ldap/schema/ to prevent a possible error when updating the package simultaneously on multiple systems (Bug 52867).
  • Register files from package univention-virtual-machine-manager-schema in LDAP in preparation for UCS 5 (Bug 51955).

§6.8. Services for Windows

§6.8.1. Univention S4 Connector

  • The attribute gidNumber on users will be synchronized from UCS to Samba4, but not from Samba4 to UCS (Bug 50278).
  • The attribute gidNumber on groups is now synced from UCS to Samba4. The attribute is only set if an UCS object is modified. Multiple objects can be resynchronized with the tool /usr/share/univention-s4-connector/resync_object_from_ucs.py --filter, which accepts an LDAP filter (Bug 50766).

§6.8.2. Univention Active Directory Connection

  • If a modification is done in AD and the user does not yet exist in UCS, the connector should set all values on the UCS object, if they have changed or not. Not doing that, led to rejects due to missing mandatory values (Bug 52261).
  • The connector creates a temporary password before synchronizing the users actual password. This temporary password did not conform to MS standard password complexity. This led to rejects, due to the password being too simple (Bug 52439).

§6.9. Other changes

  • The Univention Configuration Registry variable pam/krb5/ticket_after_pwchange has been added to restore the default behavior of the PAM module krb5. See https://help.univention.com/t/17403 for more information (Bug 52188).