UCS 5.0 Release Notes

Release Notes für die Inbetriebnahme und Aktualisierung von Univention Corporate Server (UCS) 5.0-2

Veröffentlicht 2022-06-30


Inhaltsverzeichnis

1. Release-Highlights
2. Hinweise zum Update
2.1. Empfohlene Update-Reihenfolge
2.2. UCS nur noch als 64-Bit-Variante
3. Gleichzeitiger Betrieb von UCS und Debian auf UEFI Systemen
4. Lokales Repository
5. Vorbereitung des Updates
6. Nachbereitung des Updates
7. Hinweise zum Einsatz einzelner Pakete
7.1. Erfassung von Nutzungsstatistiken
7.2. Empfohlene Browser für den Zugriff auf Univention Management Console
8. Changelog
8.1. General
8.2. Univention Installer
8.3. Basic system services
8.3.1. Univention Configuration Registry
8.3.1.1. Changes to templates and modules
8.4. Domain services
8.4.1. OpenLDAP
8.4.1.1. Listener/Notifier domain replication
8.4.2. DNS server
8.4.3. Univention Directory Listener
8.5. Univention Management Console
8.5.1. Univention Management Console web interface
8.5.2. Univention Portal
8.5.3. Univention Management Console server
8.5.4. Univention App Center
8.5.5. Univention Directory Manager UMC modules and command line interface
8.5.6. Modules for system settings / setup wizard
8.5.7. Domain join module
8.5.8. Univention Directory Reports
8.5.9. System diagnostic module
8.5.10. Filesystem quota module
8.5.11. Other modules
8.6. Univention base libraries
8.7. Software deployment
8.8. System services
8.8.1. PostgreSQL
8.8.2. Docker
8.8.3. SAML
8.8.4. Univention self service
8.8.5. Mail services
8.8.6. Dovecot
8.8.7. Postfix
8.8.8. Monitoring / Nagios
8.8.9. Apache
8.8.10. RADIUS
8.8.11. Proxy services
8.8.12. Kerberos
8.8.13. SSL
8.8.14. DHCP server
8.9. Services for Windows
8.9.1. Samba
8.9.2. Univention AD Takeover
8.9.3. Univention S4 Connector
8.9.4. Univention Active Directory Connection
8.10. Other changes
Literaturverzeichnis

§Kapitel 1. Release-Highlights

Mit Univention Corporate Server 5.0-2 steht das zweite Point-Release für Univention Corporate Server (UCS) 5.0 zur Verfügung. Es umfasst Funktionserweiterungen und Verbesserungen, neue Eigenschaften sowie diverse Detailverbesserungen und Fehlerkorrekturen. Die wichtigsten Änderungen im Überblick:

  • Der User Self-Service wurde in das UCS Portal integriert. Darüber hinaus wurde unter anderem die Unterstützung für zusätzliche Platzhalter wie Vorname und Nachname in der E-Mail-Vorlage zum Zurücksetzen des Passworts erweitert.

  • Für RADIUS können Benutzer ein sogenanntes Service spezifisches Passwort vergeben. Und Administratoren können Benutzergruppen dedizierte VLANs zuweisen und damit die Netzwerksicherheit erhöhen.

  • SameSite Cookies können jetzt für UMC und SAML konfiguriert werden.

  • Die AD-Übernahme wurde robuster gestaltet.

  • Zahlreiche Leistungsverbesserungen bezüglich DNS, LDAP und bei der Anmeldung an der UMC wurden vorgenommen.

  • Die französischen Übersetzung für das UCS-Managementsystem wurde aktualisiert.

  • Die UMC System-Diagnose wurde ausgebaut: Mehrere neue Checks wurden hinzugefügt und einige ältere verbessert.

  • Die meisten Pakete wurden auf Python 3 migriert. Deren Python 2 Varianten werden nicht länger standardmäßig installiert und werden entfernt.

  • Dieses Univention Corporate Server Release basiert auf Debian 10.12 Buster.

  • Diverse Security Updates wurden in UCS 5.0-2 integriert, bspw. für Samba4, OpenLDAP, OpenSSL, und den Linux Kernel.

§Kapitel 2. Hinweise zum Update

Während der Aktualisierung kann es zu temporären Ausfällen von Diensten innerhalb der Domäne kommen. Aus diesem Grund sollte das Update innerhalb eines Wartungsfensters erfolgen. Grundsätzlich wird empfohlen, das Update zunächst in einer Testumgebung einzuspielen und zu testen. Die Testumgebung sollte dabei identisch zur Produktivumgebung sein. Je nach Systemgeschwindigkeit, Netzwerkanbindung und installierter Software kann das Update zwischen 20 Minuten und mehreren Stunden dauern. In großen Umgebungen kann es sinnvoll sein, den [ucs-performance-guide] zu berücksichtigen.

§2.1. Empfohlene Update-Reihenfolge

In Umgebungen mit mehr als einem UCS-System muss die Update-Reihenfolge der UCS-Systeme beachtet werden:

Auf dem Primary Directory Node (frühere Bezeichnung: Domänencontroller Master) wird die maßgebliche (authoritative) Version des LDAP-Verzeichnisdienstes vorgehalten, die an alle übrigen LDAP-Server der UCS-Domäne repliziert wird. Da bei Release-Updates Veränderungen an den LDAP-Schemata auftreten können, muss der Primary Directory Node bei einem Release-Update immer als erstes System aktualisiert werden.

§2.2. UCS nur noch als 64-Bit-Variante

UCS 5 wird nur noch für 64-Bit-Architekturen bereitgestellt. Vorhandene 32-Bit UCS Systeme können nicht auf UCS 5 aktualisiert werden.

§Kapitel 3. Gleichzeitiger Betrieb von UCS und Debian auf UEFI Systemen

Beginnend mit UCS 5.0 wird ein gleichzeitiger Betrieb von UCS und Debian auf einem UEFI System nicht unterstützt.

Ursache hierfür ist der Bootloader GRUB von Univention Corporate Server, der teilweise die gleichen Konfigurationsdateien wie Debian verwendet. Ein bereits installiertes Debian führt dazu, dass UCS nach der Installation von bzw. einem Update auf UCS 5.0 nicht (mehr) gebootet werden kann. Eine nachträgliche Installation von Debian wird ebenfalls dazu führen, dass UCS 5.0 nicht mehr gebootet werden kann.

An folgendem Artikel werden weitere Hinweise zu diesem Thema gesammelt: https://help.univention.com/t/17768

§Kapitel 4. Lokales Repository

Dieser Abschnitt ist für Umgebungen relevant, in denen ein lokales Repository eingerichtet ist. Die installierte (Major-)Version von UCS bestimmt welche Pakete ein lokales Repository bereitstellt. Ein Repository das auf einem UCS Server in Version 4.x betrieben wird stellt nur Pakete bis zur Version UCS 4.x bereit, ein Repository auf einem UCS 5 Server stellt nur Pakete für UCS 5 und neuere Versionen bereit. Um in einer Umgebung mit lokalem Repository Systeme auf UCS 5 zu aktualisieren, bestehen unter anderem die folgenden Möglichkeiten. Zunächst muss ein lokaler UCS 5 Repository Server aufgesetzt werden.

  • Ein neues UCS 5 System wird als Primary Directory Node von der DVD oder aus einem virtualisiertem Basisimage installiert. Anschließend wird auf diesem System ein lokales Repository wie im UCS 5 Handbuch beschrieben eingerichtet.
  • Ein neues UCS 5 System wird als Systemrolle Backup Directory Node, Replica Directory Node oder Managed Node von der DVD oder aus einem virtualisiertem Basisimage installiert. Im System-Setup ist auszuwählen, dass das System keiner Domäne beitritt. Anschließend wird auf diesem System ein lokales Repository wie im UCS 5 Handbuch beschrieben eingerichtet. Nachdem der in der Domäne verwendet Primary Directory Node auf UCS 5 aktualisiert wurde, kann der UCS 5 Repository Server der Domäne über univention-join beitreten.

Um ein System in der Domäne auf UCS 5 zu aktualisieren, sollte der Server zunächst auf den aktuellsten Paketstand unter UCS 4.x aktualisiert werden. Anschließend wird der vom System verwendete Repository Server durch das Ändern der Univention Configuration Registry-Variable repository/online/server auf das lokale UCS 5 Repository gesetzt. Das System kann nun über die Univention Management Console oder über die Kommandozeile auf UCS 5 aktualisiert werden.

§Kapitel 5. Vorbereitung des Updates

Manuell erstellter Python-Programmcode muss vor dem Update auf Kompatibilität mit Python 3.7 geprüft und entsprechend angepasst werden. Das betrifft auch Univention Configuration Registry Templates, die Python-Code enthalten. Angepasste Univention AD Connector Mapping Templates sind ein Beispiel. In der [developer-reference] finden sich weitere Hinweise.

Es sollte geprüft werden, ob ausreichend Festplattenplatz verfügbar ist. Eine Standard-Installation benötigt min. 6-10 GB Speicherplatz. Das Update benötigt je nach Umfang der vorhanden Installation ungefähr 1-2- GB zusätzlichen Speicherplatz zum Herunterladen und Installieren der Pakete.

Für das Update sollte eine Anmeldung auf der lokalen Konsole des Systems mit dem Benutzer root durchgeführt und das Update dort gestartet werden. Alternativ kann das Update über Univention Management Console durchgeführt werden.

Eine Remote-Aktualisierung über SSH wird nicht empfohlen, da dies beispielsweise bei Unterbrechung der Netzverbindung zum Abbruch des Update-Vorgangs und zu einer Beeinträchtigung des Systems führen kann. Sollte dennoch eine Aktualisierung über eine Netzverbindung durchgeführt werden, ist sicherzustellen, dass das Update bei Unterbrechung der Netzverbindung trotzdem weiterläuft. Hierfür können beispielsweise die Tools tmux, screen oder at eingesetzt werden, die auf allen UCS Systemrollen installiert sind.

Univention bietet ein Skript an, mit dem Probleme, die das Update des UCS Systems verhindern würden, schon vor dem Update erkannt werden können. Dieses Skript kann vor dem Update manuell auf das System geladen und ausgeführt werden:

# download
curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-2{.gpg,}

# verify and run script
apt-key verify pre-update-checks-5.0-2{.gpg,} &&
  bash pre-update-checks-5.0-2

...

Starting pre-update checks ...

Checking app_appliance ...                        OK
Checking block_update_of_NT_DC ...                OK
Checking cyrus_integration ...                    OK
Checking disk_space ...                           OK
Checking hold_packages ...                        OK
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
...

§Kapitel 6. Nachbereitung des Updates

Nach dem Update müssen die neuen oder aktualisierten Join-Skripte ausgeführt werden. Dies kann auf zwei Wegen erfolgen: Entweder über das UMC-Modul Domänenbeitritt oder durch Aufruf des Befehls univention-run-join-scripts als Benutzer root.

Anschließend muss das UCS-System neu gestartet werden.

§Kapitel 7. Hinweise zum Einsatz einzelner Pakete

§7.1. Erfassung von Nutzungsstatistiken

Bei Verwendung der UCS Core Edition werden anonyme Nutzungsstatistiken zur Verwendung von Univention Management Console erzeugt. Die aufgerufenen Module werden dabei von einer Instanz des Web-Traffic-Analyse-Tools Piwik protokolliert. Dies ermöglicht es Univention die Entwicklung von Univention Management Console besser auf das Kundeninteresse zuzuschneiden und Usability-Verbesserungen vorzunehmen.

Diese Protokollierung erfolgt nur bei Verwendung der UCS Core Edition. Der Lizenzstatus kann überprüft werden durch den Eintrag Lizenz -> Lizenzinformation des Benutzermenüs in der rechten, oberen Ecke von Univention Management Console. Steht hier unter Lizenztyp der Eintrag UCS Core Edition wird eine solche Edition verwendet. Bei Einsatz einer regulären UCS-Lizenz erfolgt keine Teilnahme an der Nutzungsstatistik.

Die Protokollierung kann unabhängig von der verwendeten Lizenz durch Setzen der Univention Configuration Registry-Variable umc/web/piwik auf false deaktiviert werden.

§7.2. Empfohlene Browser für den Zugriff auf Univention Management Console

Univention Management Console verwendet für die Darstellung der Web-Oberfläche zahlreiche JavaScript- und CSS-Funktionen. Cookies müssen im Browser zugelassen sein. Die folgenden Browser werden empfohlen:

  • Chrome ab Version 85

  • Firefox ab Version 78

  • Safari und Safari Mobile ab Version 13

  • Microsoft Edge ab Version 88

Mit älteren Browsern können Darstellungs- oder Performanceprobleme auftreten.

§Kapitel 8. Changelog

Die Changelogs mit den detaillierten Änderungsinformationen werden nur in Englisch gepflegt. Aufgeführt sind die Änderungen seit UCS 5.0-1:

§8.1. General

§8.2. Univention Installer

  • Remove left-over static host configuration for 127.0.1.1 (Bug 49042).

§8.3. Basic system services

§8.3.1. Univention Configuration Registry

  • Adapted the code due to a Linux kernel API change in v5.7-rc1~128, where open(O_EXCL) now returns EEXIST instead of EISDIR (Bug 54476).
  • The remaining scripts have all been migrated to Python 3 (Bug 54208).
  • The Python-API of Univention Configuration Registry has been extended to offer a method get_int(), that can be used to avoid receiving a string, when an integer is required. If the value of the requested Univention Configuration Registry variable is not a number, the default value is returned verbatim instead (Bug 20933).

§8.3.1.1. Changes to templates and modules

  • The Univention Configuration Registry template for the file /etc/hosts now always produces the same output given the same configuration (Bug 54558).
  • Clarified the description of the Univention Configuration Registry variable logrotate/rotate/count (Bug 54691).

§8.4. Domain services

§8.4.1. OpenLDAP

  • The ppolicy overlay module uses embedded Python. This has been migrated to Python 3 (Bug 54582).
  • The behavior of the translog overlay was modified to skip grandchildren of the cn=temporary,cn=univention container. This new behavior can be controlled by the Univention Configuration Registry variable ldap/translog-ignore-temporary. This reduces the number of replication transactions during creation of users and groups significantly. As a result it increases the replication performance and reduces the rate at which the cn=translog LMDB backend database gets filled. This variable is applicable only to the Primary Directory Node. The package univention-ldap-server activates this variable by default (Bug 48626).

§8.4.1.1. Listener/Notifier domain replication

  • An error when deactivating a listener module through UCR has been fixed (Bug 54696).
  • univention-translog import --min TID had no effect (Bug 54794).
  • Several memory issues have been fixed (Bug 49868).
  • The Notifier sometimes failed to process all transaction in bulk and aborted. This lead to the Notifier making no progress and filling the log file with the same error messages again and again. Transactions are now processes incrementally (Bug 49868).
  • If the number of transactions was lower than 1000, only a partial number of transactions has been imported during the join of a backup (Bug 54203).

§8.4.2. DNS server

  • The Univention Configuration Registry variable dns/timeout-start is now also considered in the systemd unit univention-bind-ldap. This can be used in cases where a large number of DNS zones slows down the start of the DNS server bind. This only affects systems which have dns/backend set to ldap. i.e. systems that are not configured as Samba/AD DC. After changing the variable, running systemctl daemon-reload once is required (Bug 54108).

§8.4.3. Univention Directory Listener

  • The unused method get_configuration() has been removed from the ListenerModuleConfiguration class in the univention.listener.handler_configuration module (Bug 54501).

§8.5. Univention Management Console

§8.5.1. Univention Management Console web interface

  • A new widget suggesting mail domains while typing has been introduced (Bug 54467).
  • The logic for mapping UDM syntax classes to UMC frontend widgets and to get the dynamic choices for a UDM syntax have been moved into the UDM syntax classes (Bug 38762).
  • The domain component in an LDAP path is not shown in wrong reversed order anymore (Bug 53678).
  • In case of a long-lasting login, certain UMC modules do not work properly. If this happens, a message will be displayed to the user containing a link to https://help.univention.com/t/6413 (Bug 54032).
  • A new method has been added to generate and set a service specific password for a user (Bug 54438).
  • The UDM REST API now supports UDM object types containing - in their name (Bug 54063).
  • The entryUUID and dn of newly created objects are now included in the response (Bug 54347).
  • The UDM REST API now supports multiprocessing via the Univention Configuration Registry variable directory/manager/rest/processes. Further details can be found in the performance guide (Bug 50050).

§8.5.2. Univention Portal

  • The Portal server now fetches user information from the UMC server asynchronously (Bug 53853).
  • Fixed various accessibility issues (Bug 54556).
  • Fixed various CSS issues (Bug 54556).
  • Added new tooltips. They comply with accessibility requirements (Bug 54556).
  • Improved the translation widget when editing portal entries (Bug 54556).
  • Fixed drag and drop behavior when using the keyboard, added screen reader support (Bug 54556).
  • The portal now integrates the self service functionality: Reset passwords, change profile, verify accounts, etc is now possible from within the portal (Bug 54556).
  • The French translation of UDM portal attributes has been updated (Bug 54029).
  • Some requests have been excluded from apache2/force_https, so that the portal tiles in the UMC are shown even if https is forced (Bug 53296).
  • The Portal server now provides a navigation endpoint (Bug 54618).
  • Keywords can now be added to portal entries. They are not visible, but searchable (Bug 54295).
  • Entries can now be opened in new tabs with a specific internal name ("target") (Bug 54633).

§8.5.3. Univention Management Console server

  • The function DNSanitizer has been added to the Python module variable __all__ to prevent warnings for developers (Bug 52445).
  • The cookie attribute SameSite can now be set for UMC cookies via the Univention Configuration Registry variable umc/http/cookie/samesite (Bug 54484).
  • univention-management-console-dev now depends on both imagemagick and inkscape (Bug 54043).

§8.5.4. Univention App Center

  • The reason why servers are excluded from the app-installation drop-down menu is displayed again (Bug 54460).
  • Change order and prioritize App specific settings over App Center settings when populating the environment file. This is required for some upcoming Apps to be installed (Bug 54612).
  • Allow for the tmpfs that are created for a docker app to be defined in the apps ini file (Bug 54562).
  • A race condition was fixed, that caused apps to lose their installation status (Bug 54452).
  • Validate the form when choosing the installation host (Bug 53523).
  • Make the check regarding network conflicts with docker more robust (Bug 54082).

§8.5.5. Univention Directory Manager UMC modules and command line interface

  • The mapping of syntax class to UMC widgets via the Univention Configuration Registry variable directory/manager/web/widget/.* has been removed. This can now be achieved via syntax classes directly (Bug 54840).
  • An error introduced in UCS 5.0-2 erratum 335 has been repaired which caused that e.g. the selection list of printer model in the printer shares module could not be fetched (Bug 54849).
  • The error handling of the syntax class jpegPhoto was broken since UCS 5.0-0 and has been repaired (Bug 54769).
  • Clarified error message for invalid host name or FQDN (Bug 54663).
  • The available mail domains are now suggested when entering values for the attribute mailPrimaryAddress of objects users/user (Bug 54467).
  • Syntax classes can now depend on another UDM property and restrict their choices based on that (Bug 53843).
  • The logic for mapping UDM syntax classes to UMC frontend widgets and to get the dynamic choices for a UDM syntax have been moved into the UDM syntax classes (Bug 38762).
  • A crash while accessing an user with multiple user certificates has been repaired (Bug 54617).
  • Changing the case of the name or email attributes will no longer be prevented by the locking mechanism (Bug 52760).
  • Some redundant log messages logging password hashes were removed (Bug 54348).
  • The performance of the license check has been improved to reduce the initial login time (Bug 52292).
  • Backend functionality for service specific passwords has been added. It cannot be used via CLI (Bug 54438).
  • When removing a policy the policy is removed from the referencing objects (Bug 16966).
  • Searching with patterns containing umlauts is possible again (Bug 53975).
  • It is now possible to search for the user expiry date of users/user objects (Bug 54150).
  • Two resource sharing conflicts on Python dictionaries have been fixed, that could lead to tracebacks when modules are reloaded in a multi-threaded context (Bug 53581).
  • Moving of users/ldap objects is possible again. This was broken due to the Python 3 migration in UCS 5.0 (Bug 54085).
  • When user templates were members of groups an error was raised which prevented opening or modifying that group. Templates as group members are now ignored in UDM module groups/group (Bug 54402).
  • When setting an user as a member of a group in UDM, that had the same UID but a different DN of another member, the related attribute memberUid of the group got dropped. This happened in the cool Solution user-group-sync™ during move operations (Bug 54297).
  • The French translation of UDM extended attributes has been updated (Bug 54029).
  • The entryUUID of an LDAP object is now exposed by the UDM API (Bug 54883).

§8.5.6. Modules for system settings / setup wizard

  • The package univention-system-setup has been migrated to Python 3 (Bug 51318).

§8.5.7. Domain join module

  • When executing join scripts via UMC module Domain Join the progress bar will now display the name of the currently running script instead of the last script that was finished (Bug 33255).
  • The joinscript of univention-samba4 did pass the credentials in clear text to other tools like ldbsearch as command line arguments. To reduce the attack surface it now uses a file instead (Bug 53100).
  • Joining a backup node into a single server UCS@school environment failed because the LDB module univention_samaccountname_ldap_check attempted to create an object of type computers/windows for it which always failed because the account name was already taken by the computers/domaincontroller_backup object (Bug 54768).
  • Several memory and open file descriptor leaks have been fixed. An error restarting Samba during package installation has been fixed. The build system for the package has been cleaned up (Bug 48823).

§8.5.8. Univention Directory Reports

  • The script univention-directory-reports now offers two new options: The option --output-dir allows specification of the output directory and --output-name allows to specify the file name of the report (Bug 54153).

§8.5.9. System diagnostic module

  • A new diagnostic plugin has been added to detect cases where the group membership attributes uniqueMember and memberUid are no longer consistent (Bug 48652).
  • 52_mail_acl_sync will no longer fail if multiple IMAP mail folders exist (Bug 54675).
  • A new diagnostic plugin has been added to detect cases where an LDAP schema is missing that is actually still referenced by some objects (Bug 53455).
  • The script univention-run-diagnostic-check now displays links in the description of failed tests (Bug 50756).
  • Disk usage checks will now handle log level evaluations of Univention Configuration Registry variable ldap/debug/level correctly (Bug 49354).
  • A diagnostic warning for the Samba replication status will now be formatted properly (Bug 53341).
  • Mounted ISO images are no longer included in the disk usage diagnostic plugin (Bug 49353).
  • The Python 3 compatibility when handling exceptions in certain diagnostic plugins has been corrected (Bug 53306).
  • A diagnostic module has been added to check the Univention Configuration Registry variable notifier/protocol/version (Bug 54264).
  • univention-run-diagnostic-checks now offers to run a group of tests and also to exclude some of the tests (Bug 53969).
  • The script univention-run-diagnostic-check is now executed with machine account credentials by default (Bug 54515).
  • The detection of slapschema error message has been improved in 62_check_slapschema (Bug 54681).

§8.5.10. Filesystem quota module

  • Setting quotas for accounts with a fully numeric username has been fixed (Bug 54638).

§8.5.11. Other modules

  • Syntax classes can now depend on another UDM property and restrict their choices based on that (Bug 53843).
  • The logic for mapping UDM syntax classes to UMC frontend widgets and to get the dynamic choices for a UDM syntax have been moved into the UDM syntax classes (Bug 38762).
  • A UMC operation set enabling the creation of UDM Reports was added (Bug 54109).
  • Byte values are now correctly decoded for the labels of choices delivered by the syntax class LDAP_Search (Bug 54190).
  • The domain component in a LDAP path is not shown in wrong reversed order anymore (Bug 53678).
  • The Univention Configuration Registry variable directory/manager/web/modules/users/user/wizard/property/ invite/default will now work properly and can be used to activate the invite user via e-mail option in the user wizard by default (Bug 54316).

§8.6. Univention base libraries

  • Detecting UMC specific files did not work for packages having files, which have blanks in their filenames. This lead to error messages during package upgrades and inconsistent cache behavior (Bug 54047).
  • UCSVersion not includes the erroneous input parameter is included in the error message for debugging (Bug 49061).
  • Added the new function generate_password that can generate random passwords. The new function password_config can be used to get parameters for that from UCR (Bug 54555).
  • Changing a user password is now possible again when the referenced password history policy did not define values for password length or history length (Bug 51354).
  • For Python-ldap-3.3.0 (and higher) some TLS settings are no longer immediately materialized. To ensure correct behavior of TLS encrypted LDAP connections, the option OPT_X_TLS_NEWCTX will be necessary for future UCS versions (Bug 54408).

§8.7. Software deployment

  • univention-upgrade --updateto is parsed earlier and exits on wrong parameter (Bug 49061).
  • apt-get --force-yes option is deprecated and has been replaced with --allow-unauthenticated --allow-downgrades --allow-remove-essential --allow-change-held-packages (Bug 48891).
  • App updates invoked by univention-upgrade will now work correctly (Bug 53666).

§8.8. System services

§8.8.1. PostgreSQL

  • During the upgrade to UCS 5.0-1 PostgreSQL 11 might have been disabled by setting the Univention Configuration Registry variable postgres11/autostart=no by accident (Bug 54255).

§8.8.2. Docker

  • The script migrate_container_MountPoints_to_v2_config is deprecated since UCS 4.3 and has been removed (Bug 52539).
  • The package univention-docker-container-mode is deprecated since UCS 4.3 and has been replaced by an empty transitional package (Bug 52539).

§8.8.3. SAML

  • The cookie attributes Secure and SameSite can now be set for the session and language cookies of SAML Identity Providers via Univention Configuration Registry variable saml/idp/session-cookie/secure, saml/idp/session-cookie/samesite, saml/idp/language-cookie/secure and saml/idp/language-cookie/samesite (Bug 54483).
  • The link to the self service has been changed to point to the new portal based self service (Bug 54556).
  • An internal ID has been fixed, which caused the German translation not being shown when new passwords did not match (Bug 54268).
  • The French translation of UDM extended attributes has been updated (Bug 54029).

§8.8.4. Univention self service

  • The logic for mapping UDM syntax classes to UMC frontend widgets and to get the dynamic choices for a UDM syntax have been moved into the UDM syntax classes (Bug 38762).
  • The Self Service now adds its dedicated portal to make use of the new features in Univention Portal. For more, see https://help.univention.com/t/19671 (Bug 54556).
  • A new backend function has been added that can set service specific passwords for a user (Bug 54434).
  • The e-mail template for password reset tokens now support additional placeholders for the properties title, initials, displayName, firstname, lastname, mailPrimaryAddress, employeeNumber and organisation (Bug 48960).
  • The package has been migrated to Python 3. Custom plugins for sending the password recovery tokens also need to be migrated to Python 3 (Bug 51327 Bug 54466).
  • The French translation of UDM extended attributes and portal attributes has been updated (Bug 54029).

§8.8.5. Mail services

  • The French translation of UDM extended attributes has been updated (Bug 54029).
  • A bug where antivirus signatures could not get updated properly on fresh installations has been fixed (Bug 54070).

§8.8.6. Dovecot

  • The French translation of UDM extended attributes has been updated (Bug 54029).

§8.8.7. Postfix

  • Error handling in the script /usr/share/univention-mail-postfix/listfilter.py has been repaired (Bug 54560).

§8.8.8. Monitoring / Nagios

  • A new monitoring system has been implemented based on Prometheus, Prometheus Alertmanager and Grafana. During the upgrade all current Nagios services are migrated to Monitoring alerts (Bug 54748, Bug 54749, Bug 54750).
  • The configuration of NRPE plugin definitions was broken due to the migration to Python 3 and has been repaired (Bug 53681).
  • The Nagios plugins in univention-nagios-client have been converted to Python 3 (Bug 52258).

§8.8.9. Apache

  • Apache can now be configured to only support TLS v1.3 connections by setting the Univention Configuration Registry variable ucr set apache2/ssl/tlsv13=true (Bug 54306).

§8.8.10. RADIUS

  • The RADIUS server can now assign VLAN IDs to user connections if their group has set the attribute vlanId. The Univention Configuration Registry variable freeradius/vlan-id has been added to set a VLAN ID even if the user is no member of any such group (Bug 25916).
  • A new Univention Configuration Registry variable radius/use-service-specific-passwords. has been added: If enabled, the authentication is done against a RADIUS specific password, not the domain password of the user (Bug 54409).
  • An error while adding the French translation to an extended attribute during the package update has been fixed (Bug 54461).
  • The French translation of UDM extended attributes has been updated (Bug 54029).
  • Updating an old RADIUS installation will now correctly update the description for the extended attributes networkAccessGroups and NetworkAccessComputers (Bug 54341).

§8.8.11. Proxy services

  • The package univention-squid has been migrated to Python 3 (Bug 53357).

§8.8.12. Kerberos

  • The Kerberos ticket lifetime was made configurable via Univention Configuration Registry variable kerberos/defaults/ticket-lifetime (Bug 52987).

§8.8.13. SSL

  • Some web browsers refused wildcard certificates generated by univention-certificates because the information was only stored in common name but required in subject alternative names, too (Bug 53288).

§8.8.14. DHCP server

  • Add UCR packages to profile for network installation (Bug 54259).

§8.9. Services for Windows

§8.9.1. Samba

  • Samba has been updated to version 4.16.2 (Bug 54682).
  • In some cases, in UCS@school the log.smbd filled with a message because a Windows 10 client attempted to access user files, which is denied by the NTACLs. While the origin of that behavior is still unknown, no negative side effects are known. To avoid overflowing the log file, we adjusted the log message to only start appearing at the debug level 2. Default log level is 1 (Bug 52979).
  • samba-tool now supports passing credentials using the option --authentication-file and the machine password using the option --machinepass-file (Bug 53101).
  • The share configuration of vfs objects, write list, hosts allow and hosts deny was broken because of too excessive escaping of quotes and has been repaired (Bug 49842).
  • The share setting map acl inherit = yes has been broken since UCS 5.0-0 and is not working properly again (Bug 54688).
  • The access to home shares via NTLM authentication on member server has been fixed (Bug 54200).
  • The joinscript of univention-samba4 did pass the credentials in clear text to other tools like ldbsearch as command line arguments. To reduce the attack surface it now uses a file instead (Bug 53100).
  • During a server password change the Samba process was not restarted in some cases. The script to restart Samba was fixed to ensure the service is restarted successfully (Bug 54356).
  • The Kerberos ticket lifetime was made configurable via Univention Configuration Registry variable kerberos/defaults/ticket-lifetime (Bug 52987).

§8.9.2. Univention AD Takeover

  • samba-tool now supports passing machine password using the option --machinepass-file (Bug 53101).
  • samba-tool now supports passing credentials using the options -A|--authentication-file (Bug 53101).
  • Performing an Active Directory takeover will work when the original AD contains Group Policy Objects that use non ASCII encoding (Bug 54196).
  • Invalid (empty) UCR network interface configuration lead to network failure during AD Takeover (Bug 54359).
  • On systems updated from UCS 4.4 the AD-Takeover could abort with a traceback because the systemctl command was not found under the path specified in the Python code (Bug 54238).

§8.9.3. Univention S4 Connector

  • The user expiry was off by one day between UCS and Samba. This discrepancy has been removed (Bug 53012).

§8.9.4. Univention Active Directory Connection

  • For Python-ldap-3.3.0 (and higher) some TLS settings are no longer immediately materialized. To ensure correct behavior of TLS encrypted LDAP connections, the option OPT_X_TLS_NEWCTX will be necessary for future UCS versions (Bug 54408).

§8.10. Other changes

  • Improve message consistency between the man page and the --help messages (Bug 54588).
  • Fix spelling mistake of rsync in doc/univention-ssh.8 (Bug 54588).
  • Update the univention-scp --help and univention-rsync message to specify that the --no-split option must be set before the password file parameter (Bug 54588).
  • Added support for RFC6265bis SameSite cookie attribute (Bug 54483).
  • Fixed Python 2 compatibility of UCR template slapd.conf.d/65admingrp-user-passwordreset introduced by UCS 5.0-2 erratum 308 (Bug 54790).
  • The start of OpenLDAP could fail if the ACL lines got too long. This could happen if the Univention Configuration Registry variable ldap/acl/user/passwordreset/.* have a lot of values (Bug 54744).
  • The group membership cache now returns an empty list instead of None when requesting non-existing keys. This fixes a traceback in the Microsoft 365 connector listener, when not every ADConnectionAlias has at least one user (Bug 54572).
  • The French translation of UDM extended attributes has been updated (Bug 54029).
  • A new attribute univentionRadiusPassword has been added to the user class (Bug 54395).
  • The French translation of UDM extended attributes has been updated (Bug 54029).
  • A new Univention Configuration Registry variable ldap/translog-ignore-temporary has been created to control if UDM temporary objects should be considered for replication by the OpenLDAP translog overlay which feeds the Listener/Notifier. This reduces the number of replication transactions during creation of users and groups significantly. As a result it increases the replication performance and reduces the rate at which the cn=translog LMDB backend database gets filled. This variable is applicable only to the Primary Directory Node. By default is will be set to yes during package installation and update (Bug 48626).
  • A new LDAP attribute has been introduced with UCS 5.0-2 erratum 100. As re-indexing is time consuming the decision was made to delay the indexing until 5.0-2 and not to do it via an errata update. Therefore, a manual fix for customers is available and the required steps are documented at http://help.univention.com/t/19248 (Bug 54092).
  • The French translation package has been given a comprehensive update to align it to the current source code. All missing translation strings have been added and all outdated ones updated along with some general improvements of existing translation strings (Bug 54029).
  • Bugs in the localization template files were updated to fix the creation and update process of language packages (Bug 54029).

§Literaturverzeichnis

§

[ucs-performance-guide] Univention GmbH. 2021. UCS performance guide. https://docs.software-univention.de/performance-guide-5.0.html.

§

[developer-reference] Univention GmbH. 2021. Univention Developer Reference. https://docs.software-univention.de/developer-reference-5.0.html.