UCS 5.0 Release Notes

Release notes for the installation and update of Univention Corporate Server (UCS) 5.0-1


Table of Contents

1. Release Highlights
2. Notes about the update
2.1. Recommended update order for environments with more than one UCS server
2.2. UCS only available for 64 bit
3. Simultaneous operation of UCS and Debian on UEFI systems
4. Local package repository
5. Preparation of update
6. Postprocessing of the update
7. Notes on selected packages
7.1. Collection of usage statistics
7.2. Recommended browsers for the access to Univention Management Console
8. Changelog
8.1. General
8.2. Basic system services
8.2.1. Univention Configuration Registry
8.2.1.1. Changes to templates and modules
8.3. Domain services
8.3.1. OpenLDAP
8.3.1.1. Listener/Notifier domain replication
8.3.2. DNS server
8.4. Univention Management Console
8.4.1. Univention Management Console web interface
8.4.2. Univention Portal
8.4.3. Univention Management Console server
8.4.4. Univention App Center
8.4.5. Univention Directory Manager UMC modules and command line interface
8.4.6. Modules for system settings / setup wizard
8.4.7. Software update module
8.4.8. Domain join module
8.4.9. License module
8.4.10. System diagnostic module
8.4.11. Process overview module
8.4.12. Policies
8.4.13. Filesystem quota module
8.4.14. Univention Configuration Registry module
8.4.15. Other modules
8.5. Univention base libraries
8.6. Software deployment
8.6.1. Software monitor
8.7. System services
8.7.1. SAML
8.7.2. Univention self service
8.7.3. Dovecot
8.7.4. Postfix
8.7.5. Printing services
8.7.6. Nagios
8.7.7. Apache
8.7.8. RADIUS
8.7.9. Proxy services
8.7.10. SSL
8.7.11. DHCP server
8.7.12. Other services
8.8. Services for Windows
8.8.1. Samba
8.8.2. Univention AD Takeover
8.8.3. Univention S4 connector
8.8.4. Univention Active Directory Connection
8.9. Other changes
Bibliography

§Chapter 1. Release Highlights

With Univention Corporate Server 5.0-1, the first point release for Univention Corporate Server (UCS) 5.0 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:

  • UCS 5 light theme design. As announced with the release of UCS 5.0-0, in addition to the dark theme, there is also a light theme for UCS 5.0, allowing users of the UCS management system to switch between the two themes.

  • Scheduled user account activation. UCS administrators can create user accounts and define the date and time when they will be activated. User account creation can thus be better scheduled and done in advance without the user accounts being active right away.

  • Numerous improvements to the UCS Portal. Users of the UCS Portal can enjoy numerous improvement. Worth mentioning here are:

    • Improvements in the accessibility of the portal, for example, in the operation with the keyboard.

    • Improved handling of translation in a separate dialog to declutter the editing dialog.

    • Improved handling of notifications.

    • The cookie banner layout has been adapted to match the portal layout.

  • App Center: Several bugfixes in the handling of app settings.

  • User creation wizard: display attributes marked as required. UCR variables can be used to configure which user attributes have which default values and are visible when a user account is created. This allows an administrator to specify, for example, which parameters must be explicitly set and contain values in any case when creating a user account, e.g. the email address, which is not required by default.

  • This Univention Corporate Server release is based on Debian 10.11 Buster.

  • Various security updates have been integrated into UCS 5.0-1, for example for Samba4, OpenSSL, PHP and the Linux kernel.

§Chapter 2. Notes about the update

During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult the [ucs-performance-guide].

§2.1. Recommended update order for environments with more than one UCS server

In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:

The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.

§2.2. UCS only available for 64 bit

UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.

§Chapter 3. Simultaneous operation of UCS and Debian on UEFI systems

Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0 is not supported.

The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.

At the following help article further hints to this topic are collected: https://help.univention.com/t/17768

§Chapter 4. Local package repository

This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.

To upgrade a system in the domain to UCS 5, the server should first be upgraded to the latest package level available for UCS 4.x. Then the repository server used by the system is switched to the local UCS 5 repository by changing the Univention Configuration Registry variable repository/online/server. The system can now be upgraded to UCS 5 via the Univention Management Console or via the command line.

§Chapter 5. Preparation of update

Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the [developer-reference] for advice.

It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.

For the update, a login should be performed on the system's local console as user root, and the update should be initiated there. Alternatively, the update can be conducted using Univention Management Console.

Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools tmux, screen and at. These tools are installed on all UCS system roles by default.

Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.

# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-1{.gpg,}

# verify and run script
apt-key verify pre-update-checks-5.0-1{.gpg,} &&
  bash pre-update-checks-5.0-1

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Chapter 6. Postprocessing of the update

Following the update, new or updated join scripts need to be executed. This can be done in two ways: Either using the UMC module Domain join or by running the command univention-run-join-scripts as user root.

Subsequently the UCS system needs to be restarted.

§Chapter 7. Notes on selected packages

§7.1. Collection of usage statistics

Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.

This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry License -> License information of the user menu in the upper right corner of Univention Management Console. If UCS Core Edition is listed under License type, this version is in use. When a regular UCS license is used, no usage statistics are collected.

Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.

§7.2. Recommended browsers for the access to Univention Management Console

Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:

  • Chrome as of version 85

  • Firefox as of version 78

  • Safari and Safari Mobile as of version 13

  • Microsoft Edge as of version 88

Users running older browsers may experience display or performance issues.

§Chapter 8. Changelog

Listed are the changes since UCS 5.0-0:

§8.1. General

§8.2. Basic system services

§8.2.1. Univention Configuration Registry

  • ucr commit now prints a warning if a file is specified for which no template is registered (Bug 50010).
  • Always call the UCR module function handler() with a dictionary mapping variables to a 2-tuple containing the old and new value, even when ucr commit or ucr register are invoked (Bug 53424).
  • UCR now exits with an exit code of 1 when setting at least UCR variable fails (Bug 53742).
  • Umlauts in UCR keys are allowed again, which was broken since UCS 5.0-1 (Bug 53742).
  • UCR now immediately closes file references when they are not used anymore (Bug 53811).

§8.2.1.1. Changes to templates and modules

  • The package univention-base-files has been migrated to Python 3 (Bug 53343).
  • A confusing wording in /etc/motd has been fixed (Bug 54184).

§8.3. Domain services

§8.3.1. OpenLDAP

  • Update file last_id atomically (Bug 51910).
  • Log error if listener/listener file cannot be written (Bug 51910).
  • Consistently write <TransID> if last_id could not be determined as all (Bug 51910).
  • Check listener/listener.priv file too if getting last_id failed (Bug 51910).
  • Check listener/listener file if getting last_id failed (Bug 51910).

§8.3.1.1. Listener/Notifier domain replication

  • Log messages of univention-translog have been improved (Bug 51911, Bug 49430).
  • The script univention-translog now also checks the file listener/listener.priv if that exists (Bug 51911, Bug 49430).
  • The script univention-translog recognizes the special values <TransID> and 0 and is able to fix them (Bug 51911, Bug 49430).
  • Restarting the systemd unit is now limited to 50 times in an observation window of 1000 seconds (Bug 51911, Bug 49430).
  • The notifier aborts if the transaction ID issued by the OpenLDAP translog overlay is not a valid integer (Bug 51911, Bug 49430).
  • Make module execution order configurable by explicitly specifying a priority (Bug 26089).
  • The package univention-directory-notifier has been migrated to Python 3 (Bug 53355).
  • The applying of a failed.ldif has been repaired, it was broken due to the Python 3 migration (Bug 53430).
  • Make module execution order configurable by explicitly specifying a `priority` (Bug 26089).
  • Make standard IO unbuffered. Otherwise (error) output from modules is buffered until the 8 KiB buffer becomes full. Only then the buffer is full, the previously collected output will be flushed and becomes visible en bloc in the log file /var/log/univention/listener.log (Bug 53071).

§8.3.2. DNS server

  • Server password change now logs timestamps (Bug 53182).

§8.4. Univention Management Console

§8.4.1. Univention Management Console web interface

  • The configuration of log rotation for the UDM REST API logfiles has been added (Bug 51721).
  • The style of the module tabs when using the query parameter overview=false has been adjusted (Bug 53906).
  • The Caching settings of Univention Management Console have been enhanced and relaxed to fix Caching issues after the upgrade to UCS 5.0 (Bug 53465).
  • The widgets DateBox and TimeBox now handle empty values correctly and support the syntax date2 again (Bug 53631).
  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • The login page no longer has the Login entry in the menu (Bug 53728).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).
  • A new Univention Configuration Registry variable ucs/web/theme has been added to configure a theme for all UCS web interfaces. The dark theme is the default (Bug 53307).
  • A regression where a saved username in Firefox is entered into a wrong input field has been fixed (Bug 53310).

§8.4.2. Univention Portal

  • A light theme for UCS web interfaces has been implemented (Bug 53390).
  • Improved performance during drag and drop (Bug 53565).
  • When using the portal for the first time, a sane guess which locale to set is made (Bug 53565).
  • Changed the position of the button to leave the edit mode (Bug 53565).
  • When entering edit mode, the portal overview is focused and the sidebar with portal attributes is not automatically opened anymore (Bug 53565).
  • Added an error message if the portal data cannot be loaded (Bug 53565).
  • Improved error validation in change password form (Bug 53565).
  • Added a new widget for localization of certain attributes (Bug 53565).
  • Added the option to connect groups to a tile. The tile is only visible to users of these groups (Bug 53565).
  • Users now can choose to deleting an object entirely when removing (not just unlinking) (Bug 53565).
  • Improved tile describing tooltip in mobile mode (Bug 53565).
  • Close folder when switching to an embedded link (Bug 53565).
  • Switch to portal overview when using the search bar (Bug 53565).
  • Close search bar when opening embedded links (Bug 53565).
  • Re-ordering of tiles now works within a folder (Bug 53565).
  • New translation system (Bug 53565).
  • Improved keyboard controls, including a drag and drop alternative (Bug 53565).
  • Various accessibility fixes (Bug 53565).
  • Various CSS fixes (Bug 53565, Bug 53385, Bug 53491).
  • The template /usr/share/univention-portal/apps.json was unused and has been removed (Bug 53651).
  • Tabs are now shown with a full tile with background, not just the logo (Bug 53385, Bug 53491).
  • The portal can now be themed (Bug 53385, Bug 53491).
  • Language menu is now only available if the portal supports more than one language; the selected language is disabled in the menu (Bug 53385, Bug 53491).
  • The menu can now be edited in edit mode (Bug 53385, Bug 53491).
  • Added multiple new fields in edit mode (Bug 53385, Bug 53491).
  • Various accessibility fixes, like aria attributes (Bug 53385, Bug 53491).
  • Cookie Banner now better fits the portal layout (Bug 53385, Bug 53491).
  • Manage tabulator index for all components (Bug 53385, Bug 53491).
  • Added indicator for folders exceeding 9 entries (Bug 53385, Bug 53491).
  • Removed console.log messages (Bug 53385, Bug 53491).
  • Edit modals cannot be closed when clicking the background; New layer for loading animation (Bug 53385, Bug 53491).
  • Improved form validations (Bug 53385, Bug 53491).
  • Improve portal header in mobile mode (Bug 53385, Bug 53491).
  • Fix sizing in mobile mode (Bug 53385, Bug 53491).
  • All notifications can now be removed at once (Bug 53385, Bug 53491).
  • Notifications are shown in edit mode (Bug 53385, Bug 53491).
  • Notifications and tabs now have a counter in the header bar (Bug 53385, Bug 53491).
  • Notifications now hides automatically (Bug 53385, Bug 53491).

§8.4.3. Univention Management Console server

  • When being logged in via SAML a refresh of the SAML authentication at the UMC server (or LDAP server) is now done correctly again after the validity of the SAML message expired (Bug 52888).
  • The behavior for multiple module tabs has been adjusted when using the query parameter `overview=false` (Bug 53906).
  • The Caching settings of Univention Management Console have been enhanced and relaxed to fix Caching issues after the upgrade to UCS 5.0 (Bug 53465).
  • The traceback format of exceptions occurring in a thread has been repaired (Bug 53817).
  • The UMC server is now capable to send responses with mime type image/svg+xml (Bug 53779).
  • The label of required multi valued widgets is now highlighted if no value is set (Bug 53665).
  • The login page no longer has the entry Login in the menu (Bug 53728).
  • Access to the Univention Management Console has been repaired if the user is allowed to use only one UMC module which does not have a flavor (Bug 51659).
  • SAML logouts which are initiated by another service provider are now correctly handled (Bug 53436).
  • The new Univention Configuration Registry variable umc/http/enforce-secure-cookie can be set to make cookies secure when using a HTTPS connection (Bug 51242).
  • The new Univention Configuration Registry variable umc/http/enforce-session-cookie can be set to make the login cookie a session cookie. Closing the browser will delete the cookie, effectively logging out the user (Bug 53508).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.4.4. Univention App Center

  • Remove cache files to force a rebuild with the next access to the cache (Bug 51986).
  • The error handling in case docker inspect fails has been repaired (Bug 53803).
  • Configuring an App that shipped with certain configure scripts did not work. This has been fixed (Bug 53761).
  • The install dialog shows the errors of the installation and messages from the pre-installation script if the installation has failed (Bug 53625).
  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • The traceback shall be send when an exception arises in install_base (Bug 53655).
  • Fixed a regression where the App installation failed if the App had certain App settings (Bug 53630).
  • The template /usr/share/univention-portal/apps.json was unused and has been removed (Bug 53651).
  • App settings of the scope outside are now applied on the system before the App's preinst script (Bug 52506).
  • App settings were not applied correctly during the installation (Bug 53578).
  • Cache files are now verified using apt-key verify. This will allow us to update signature keys (Bug 53526).
  • An issue has been fixed where certain strings containing apostrophes caused crashes (Bug 53412).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).
  • An error has been fixed opening certain Apps (Bug 53384).
  • Installation of certain apps fails, if the app id exceeds a certain limit in length (Bug 53273).

§8.4.5. Univention Directory Manager UMC modules and command line interface

  • The encoding of computers displayName and krb5PrincipalName allows UTF-8 again, as it has been in UCS 4.4 (Bug 53927).
  • Make LDAP Object Class and Attribute names selectable (Bug 53840).
  • Make options in Extended Attributes selectable (Bug 53840).
  • Add syntax class to select UDM syntax class for Extended Attributes (Bug 53840).
  • Expose the size limit parameter in the simple UDM API (Bug 53833).
  • PDF printers can now be created without specifying a destination (Bug 53702).
  • It is now possible to set an account activation date for users, e.g. via the property accountActivationDate in the UDM module users/user (Bug 53631).
  • The simple UDM API now exposes the remove_childs option of UDM function remove() in the delete() method to recursively delete objects below the DN of the object that is being deleted (Bug 53667).
  • Modifying groups objects without mail addresses in certain situations has been repaired (Bug 53653).
  • Under certain circumstances renaming a computer object was not possible (Bug 53642).
  • Timeout DNS edit operations after 120 seconds (Bug 39539).
  • In the UDM module users/user the property `lockedTime` is now correctly handled in Python 3 (Bug 53574).
  • The uniqueness of groupnames is now also checked when renaming a group (Bug 53453).
  • Since the Python 3 migration broken LDAP filter where generated which contained byte-string-representations for UDM property names which are used in filters. The values are now correctly decoded (Bug 53553).
  • The shell function ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for UMC (Bug 53532).
  • The descriptions of email related attributes have been improved (Bug 46080).
  • UDM now enforces uniqueness of the name of objects in the same sub-tree position (Bug 53102).
  • Users/LDAP objects could not be created if the mspolicy password complexity criteria was configured due to the missing displayname (Bug 53339).
  • UDM can now handle environments where the module refint for the attribute uniqueMember has been enabled (Bug 54185).

§8.4.6. Modules for system settings / setup wizard

  • The dependency on python-univention-ipcalc has been fixed (Bug 53345).
  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).
  • The login message (message of the day) showed wrong versions of supported browsers (Bug 53244).

§8.4.7. Software update module

  • The package univention-maintenance-mode has been migrated to Python 3 (Bug 53346).

§8.4.8. Domain join module

  • Rebuilt for package ldb update to version 2.2.3 (Bug 54013).
  • The package univention-ldb-modules has been migrated to Python 3 (Bug 53567).
  • An encoding issue has been fixed, which prevented the UMC join module from executing join scripts (Bug 53181).
  • Viewing the join.log in UMC now shows the newest entries instead of the first 2 MB only (Bug 53941).

§8.4.9. License module

  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.4.10. System diagnostic module

  • The system diagnostic check no longer shows false positives when a HTTP proxy is used (Bug 50620).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.4.11. Process overview module

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).

§8.4.12. Policies

  • It's now possible to select the LDAP server in the policy_result Python library (Bug 53943).

§8.4.13. Filesystem quota module

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • The package univention-quota has been migrated to Python 3 (Bug 51317).

§8.4.14. Univention Configuration Registry module

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).

§8.4.15. Other modules

  • The package univention-system-info has been migrated to Python 3 (Bug 51321).
  • While copying an user object the entries were not filled correctly and saving was not possible (Bug 53857).
  • Some colors have been adjusted to use the new UCS 5 colors (Bug 53665).
  • Empty values are now prepended to static values for certain widgets if the syntax class requires this (Bug 53631).
  • Rewriting properties of apps using App Options changed the original options leading to follow up errors especially in the UDM REST API (Bug 53714).
  • The UDM UMC module no longer crashes when a LDAP search syntax uses a LDAP attribute as displayed label (Bug 53628).
  • The user creation wizard now shows the mailPrimaryAdress if it is required. The default value and visibility of widgets in the user creation wizard can now be configured via UCR (Bug 53456).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.5. Univention base libraries

  • UDM now enforces uniqueness of the name of objects in the same subtree position (Bug 53102).
  • Added new shell library function echowithtimestamp (Bug 53182).
  • The parsing and generating of fstab entries now rejects more invalid values and generates valid values in certain cases (Bug 53902).
  • The evaluation of deny-lists for shares has been repaired (Bug 51650).
  • The Caching settings of Univention Management Console have been enhanced and relaxed to fix Caching issues after the upgrade to UCS 5.0 (Bug 53465).
  • The shell function ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53532).

§8.6. Software deployment

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • Most UCR variable descriptions have been updated and the default values were moved to the new UCR default layer. Due to this move the default for unset values might have changed, e.g. update/check/boot/enabled and update/check/cron/enabled are affected (Bug 47860).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).
  • Due to the updated repository structure, creating a local repository mirror from a UCS 5 DVD has been deprecated. A new local repository will now directly be mirrored from the upstream online repository (Bug 53429).
  • Ignore file ucs-releases.json to prevent it from being removed on local repository clean (Bug 53429).

§8.6.1. Software monitor

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • The package univention-pkgdb has been migrated to Python 3 (Bug 51337).

§8.7. System services

§8.7.1. SAML

  • Permissions to use a SAML service provider in UCS can be configured on a user object or at group objects for all members of the group. The check via the memberOf attribute for group membership was not done case insensitive (Bug 53723).
  • The Single-Sign-On login page was not affected by the Univention Configuration Registry variable ucs/web/theme (Bug 53533).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.7.2. Univention self service

  • The descriptions of email related attributes have been improved (Bug 46080).
  • The Python 2 compatibility of the UCR module self-service-acl.py has been restored (Bug 53459).
  • A light theme for UCS web interfaces has been implemented (Bug 53390).

§8.7.3. Dovecot

  • The DH parameters for Dovecot are now correctly created. The Managesieve service could not be used with TLS before (Bug 53994).
  • Server password change now logs timestamps (Bug 53182).

§8.7.4. Postfix

  • Time-stamps have been added to the log output of the server password change call (Bug 53182).
  • The Univention Directory Listener module listfilter.py did not respect the Univention Configuration Registry variable mail/postfix/policy/listfilter/use_sasl_username=yes when it is executed with the option --test (Bug 53463).

§8.7.5. Printing services

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).
  • The package univention-printserver has been migrated to Python 3 (Bug 51335).

§8.7.6. Nagios

  • The Nagios plugin check_univention_slapd_mdb_maxsize now takes the number of free pages into account for checking the size of the LDAP database (Bug 54186).

§8.7.7. Apache

  • The package univention-apache has been migrated to Python 3 (Bug 53359).

§8.7.8. RADIUS

  • Server password change now logs timestamps (Bug 53182).
  • Activate default configuration in /etc/freeradius/3.0/sites-available (Bug 53712).

§8.7.9. Proxy services

  • The correct file keytab is now used by squid for Kerberos authentication (Bug 53648).

§8.7.10. SSL

  • Timeout SSL certificate download after 10 minutes (Bug 51776).

§8.7.11. DHCP server

  • Server password change now logs timestamps (Bug 53182).

§8.7.12. Other services

  • The theming has been adjusted for the usage in UCS@school (Bug 53665).

§8.8. Services for Windows

§8.8.1. Samba

  • Update package ldb for samba 4.13.14 (Bug 54013).
  • Package univention-samba4-backup has been fixed (Bug 53438).
  • Update Samba to 4.13.14 (effectively) (Bug 54013).
  • Server password change now logs timestamps (Bug 53182).
  • An error in the listener samba-shares.py is prevented during the removal of shares with assigned NT ACLs (Bug 53414).
  • Errors in the Python 3 migration of the listener samba-shares.py have been corrected (Bug 53458).
  • Add username map script for use when Samba is configured as domain member (Bug 54013).
  • The UCR module for Samba share restrictions did not quote the spaces inside share names like the samba listener does (Bug 53828).

§8.8.2. Univention AD Takeover

  • An error in the Python 3 migration has been fixed which causes that the AD takeover was not possible if the AD Domain contained objects with attributes mail or proxyAddresses (Bug 53466).

§8.8.3. Univention S4 connector

  • Server password change now logs timestamps (Bug 53182).
  • The Univention S4 connector only deletes/adds objects now if they have the corresponding attribute entryUUID/objectGUID. If a new object with the same DN as an old one is created, the S4 Connector treats them now correctly as different objects (Bug 50593).
  • The script /usr/share/univention-s4-connector/msgpo.py now supports the arguments --binddn and --bindpwdfile, which have been accidently removed in UCS 5.0 (Bug 53705).

§8.8.4. Univention Active Directory Connection

  • Invalid values in the LDAP attribute sambaNTPassword are now ignored instead of triggering a traceback (Bug 53757).
  • The Nagios check for univention-ad-connector reported a false positive if multiple ad-connector instances were running (Bug 53340).
  • UCS rejects are resynchronized only a certain amount of times. This is configurable via a new Univention Configuration Registry variable connector/ad/max_retry_rejected, which defaults to 10 tries (Bug 54147).

§8.9. Other changes

  • The package univention-home-mounter has been migrated to Python 3 (Bug 53344).
  • The package univention-ldap-overlay-memberof has been migrated to Python 3 (Bug 53356).
  • The package univention-ssh has been migrated to Python 3 (Bug 53342).
  • The package univention-admingrp-user-passwordreset has been migrated to Python 3 (Bug 53354).
  • univention-ipcalc6 has been converted to Python 3 (Bug 53345).
  • The deprecated univention-ipcalc has been removed (Bug 22511).
  • A SAML service provider configuration can now contain an array of attributes in the option case_insensitive_attributes when using an authorize:Authorize filter. These attributes will be compared case insensitive (Bug 53723).
  • The function ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog. This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53532).
  • Standard streams could be set to non inheritable within the daemon context. Which means child process did not have any standard streams. This made it impossible to use the UMC join module to join or rejoin a UCS server (Bug 53181).
  • The package univention-group-membership-cache has been added to provide a fast user and group membership cache (Bug 54182).
  • On the Primary the LDAP server module refint can now be enabled by setting the Univention Configuration Registry variable ldap/refint=true. It enforces referential integrity for the attribute uniqueMember. For updates the module will not be enabled by default (Bug 54185).

§Bibliography

§

[ucs-performance-guide] Univention GmbH. 2021. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.

§

[developer-reference] Univention GmbH. 2021. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.