Table of Contents
With Univention Corporate Server 5.0-1, the first point release for Univention Corporate Server (UCS) 5.0 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bugfixes. Here is an overview of the most important changes:
UCS 5 light theme design. As announced with the release of UCS 5.0-0, in addition to the dark theme, there is also a light theme for UCS 5.0, allowing users of the UCS management system to switch between the two themes.
Scheduled user account activation. UCS administrators can create user accounts and define the date and time when they will be activated. User account creation can thus be better scheduled and done in advance without the user accounts being active right away.
Numerous improvements to the UCS Portal. Users of the UCS Portal can enjoy numerous improvement. Worth mentioning here are:
Improvements in the accessibility of the portal, for example, in the operation with the keyboard.
Improved handling of translation in a separate dialog to declutter the editing dialog.
Improved handling of notifications.
The cookie banner layout has been adapted to match the portal layout.
App Center: Several bugfixes in the handling of app settings.
User creation wizard: display attributes marked as required. UCR variables can be used to configure which user attributes have which default values and are visible when a user account is created. This allows an administrator to specify, for example, which parameters must be explicitly set and contain values in any case when creating a user account, e.g. the email address, which is not required by default.
This Univention Corporate Server release is based on Debian 10.11 Buster.
Various security updates have been integrated into UCS 5.0-1, for example for Samba4, OpenSSL, PHP and the Linux kernel.
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult the [ucs-performance-guide].
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.
UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.
Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0 is not supported.
The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.
At the following help article further hints to this topic are collected: https://help.univention.com/t/17768
This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.
univention-join.
To upgrade a system in the domain to UCS 5, the server should first be upgraded to the latest package level available for UCS 4.x.
Then the repository server used by the system is switched to the local UCS 5 repository by changing the Univention Configuration Registry variable repository/online/server.
The system can now be upgraded to UCS 5 via the Univention Management Console or via the command line.
Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the [developer-reference] for advice.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system's local console as user root, and the update should be initiated there.
Alternatively, the update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted.
In consequence, this can affect the system severely.
If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network.
This can be achieved, e.g., using the tools tmux, screen and at.
These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-1{.gpg,}
# verify and run script
apt-key verify pre-update-checks-5.0-1{.gpg,} &&
bash pre-update-checks-5.0-1
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Following the update, new or updated join scripts need to be executed.
This can be done in two ways:
Either using the UMC module or by running the command univention-run-join-scripts as user root.
Subsequently the UCS system needs to be restarted.
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Piwik. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The license status can be verified via the menu entry of the user menu in the upper right corner of Univention Management Console. If is listed under , this version is in use. When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by setting the Univention Configuration Registry variable umc/web/piwik to false.
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 85
Firefox as of version 78
Safari and Safari Mobile as of version 13
Microsoft Edge as of version 88
Users running older browsers may experience display or performance issues.
Listed are the changes since UCS 5.0-0:
All security updates issued for UCS 5.0-0 are included:
The following updated packages from Debian Buster 10.11 are included (Bug 54218): ansible, apache-log4j2, apt, aspell, atftp, awstats, base-files, btrbk, c-ares, clamav, clevis, commons-io, connman, crmsh, cyrus-imapd, debconf, debian-installer-netboot-images, distcc, distro-info-data, dnspython, dput-ng, espeak-ng, eterm, exactimage, exiv2, ffmpeg, fig2dev, fluidsynth, freediameter, fwupd-amd64-signed, fwupdate-amd64-signed, fwupdate, fwupd, gcc-mingw-w64, golang-github-docker-docker-credential-helpers, grilo, gthumb, hg-git, htmldoc, htslib, http-parser, hyperkitty, ipmitool, ircii, irssi, isync, jackson-databind, java-atk-wrapper, jetty9, ledgersmb, lemonldap-ng, libbusiness-us-usps-webtools-perl, libdatetime-timezone-perl, libgetdata, libmateweather, libpam-tacplus, libspf2, libuv1, libxml-security-java, libxstream-java, liferea, linuxptp, lynx, mailman, mediawiki, modsecurity-crs, mqtt-client, mumble, mupdf, neutron, nextcloud-desktop, nginx, nmap, node-ansi-regex, node-axios, node-glob-parent, node-handlebars, node-hosted-git-info, node-jszip, node-redis, node-tar, node-ws, nvidia-cuda-toolkit, nvidia-graphics-drivers-legacy-390xx, nvidia-graphics-drivers, opendmarc, openjdk-11-jre-dcevm, openjdk-11, openvpn, php-horde-text-filter, plinth, postorius, proftpd-dfsg, prosody, psmisc, python-uflash, rails, redis, request-tracker4, ring, roundcube, ruby-kaminari, ruby-websocket-extensions, rust-rustyline, rxvt-unicode, sabnzbdplus, salt, scrollz, shim-helpers-amd64-signed, shim, shim-signed, shiro, speedtest-cli, squashfs-tools, strongswan, thunderbird, tnef, tomcat9, tor, trafficserver, tzdata, ublock-origin, uim, ulfius, user-mode-linux, velocity, webkit2gtk, wireshark, wml, wordpress, xen, xfce4-weather-plugin, xmlgraphics-commons, yubikey-manager
The following packages have been moved to the maintained repository of UCS: univention-tftp (Bug 35487)
ucr commit now prints a warning if a file is specified for which no template is registered (Bug 50010).
handler() with a dictionary mapping variables to a 2-tuple containing the old and new value, even when ucr commit or ucr register are invoked (Bug 53424).
last_id atomically (Bug 51910).
listener/listener file cannot be written (Bug 51910).
<TransID> if last_id could not be determined as all (Bug 51910).
listener/listener.priv file too if getting last_id failed (Bug 51910).
listener/listener file if getting last_id failed (Bug 51910).
univention-translog have been improved (Bug 51911, Bug 49430).
univention-translog now also checks the file listener/listener.priv if that exists (Bug 51911, Bug 49430).
univention-translog recognizes the special values <TransID> and 0 and is able to fix them (Bug 51911, Bug 49430).
translog overlay is not a valid integer (Bug 51911, Bug 49430).
failed.ldif has been repaired, it was broken due to the Python 3 migration (Bug 53430).
/var/log/univention/listener.log (Bug 53071).
overview=false has been adjusted (Bug 53906).
DateBox and TimeBox now handle empty values correctly and support the syntax date2 again (Bug 53631).
ucs/web/theme has been added to configure a theme for all UCS web interfaces.
The dark theme is the default (Bug 53307).
/usr/share/univention-portal/apps.json was unused and has been removed (Bug 53651).
console.log messages (Bug 53385, Bug 53491).
modals cannot be closed when clicking the background;
New layer for loading animation (Bug 53385, Bug 53491).
image/svg+xml (Bug 53779).
umc/http/enforce-secure-cookie can be set to make cookies secure when using a HTTPS connection (Bug 51242).
umc/http/enforce-session-cookie can be set to make the login cookie a session cookie.
Closing the browser will delete the cookie, effectively logging out the user (Bug 53508).
docker inspect fails has been repaired (Bug 53803).
/usr/share/univention-portal/apps.json was unused and has been removed (Bug 53651).
users/user (Bug 53631).
remove_childs option of UDM function remove() in the delete() method to recursively delete objects below the DN of the object that is being deleted (Bug 53667).
users/user the property `lockedTime` is now correctly handled in Python 3 (Bug 53574).
ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog.
This option can be used to supply translation files in GNU message catalog format for UMC (Bug 53532).
mspolicy password complexity criteria was configured due to the missing displayname (Bug 53339).
refint for the attribute uniqueMember has been enabled (Bug 54185).
join.log in UMC now shows the newest entries instead of the first 2 MB only (Bug 53941).
policy_result Python library (Bug 53943).
echowithtimestamp (Bug 53182).
fstab entries now rejects more invalid values and generates valid values in certain cases (Bug 53902).
ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog.
This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53532).
unset values might have changed, e.g. update/check/boot/enabled and update/check/cron/enabled are affected (Bug 47860).
ucs-releases.json to prevent it from being removed on local repository clean (Bug 53429).
ucs/web/theme (Bug 53533).
listfilter.py did not respect the Univention Configuration Registry variable mail/postfix/policy/listfilter/use_sasl_username=yes when it is executed with the option --test (Bug 53463).
check_univention_slapd_mdb_maxsize now takes the number of free pages into account for checking the size of the LDAP database (Bug 54186).
samba-shares.py is prevented during the removal of shares with assigned NT ACLs (Bug 53414).
samba-shares.py have been corrected (Bug 53458).
/usr/share/univention-s4-connector/msgpo.py now supports the arguments --binddn and --bindpwdfile, which have been accidently removed in UCS 5.0 (Bug 53705).
connector/ad/max_retry_rejected, which defaults to 10 tries (Bug 54147).
ucs_registerLDAPExtension from the Univention shell library now allows the option umcmessagecatalog.
This option can be used to supply translation files in GNU message catalog format for the UMC (Bug 53532).
refint can now be enabled by setting the Univention Configuration Registry variable ldap/refint=true.
It enforces referential integrity for the attribute uniqueMember.
For updates the module will not be enabled by default (Bug 54185).
[ucs-performance-guide] Univention GmbH. 2021. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.
[developer-reference] Univention GmbH. 2021. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.