Release notes for the installation and update of Univention Corporate Server (UCS) 5.0-2#
Publication date of UCS 5.0-2: 30. June 2022
Release Highlights#
With Univention Corporate Server 5.0-2, the second point release for Univention Corporate Server (UCS) 5.0 is now available. It provides several feature improvements and extensions, new properties as well as various improvements and bug fixes. Here is an overview of the most important changes:
The User Self Service was integrated into the UCS portal. Furthermore, the support for additional placeholders was extended among others, such as first name and last name in the email template for password reset.
For RADIUS, users can assign a so-called service specific password. And administrators can assign dedicated VLANs to user groups to increase network security.
SameSite
Cookies can now be configured for UMC and SAML.The AD Takeover has been made more robust.
Numerous performance improvements have been implemented regarding DNS, LDAP and during the sign in to UMC.
The French translation for the UCS management system was updated.
The UMC system diagnostics has been extended: Several new checks have been added and some older have been improved.
Most packages have been migrated to Python 3. Their Python 2 counterparts are no longer installed by default and will be removed.
This Univention Corporate Server release is based on Debian 10.12 Buster.
Various security updates have been integrated into UCS 5.0-2, for example for Samba4, OpenLDAP, OpenSSL, and the Linux kernel.
Notes about the update#
During the update some services in the domain may not be available temporarily, that is why the update should occur in a maintenance window. It is recommended to test the update in a separate test environment prior to the actual update. The test environment should be identical to the production environment. Depending on the system performance, network connection and the installed software the update will take between 20 minutes and several hours. In large environments it may be useful to consult UCS performance guide [1].
Recommended update order for environments with more than one UCS server#
In environments with more than one UCS system, the update order of the UCS systems must be borne in mind:
The authoritative version of the LDAP directory service is maintained on the Primary Directory Node (formerly referred to as master domain controller) and replicated to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system to be updated during a release update.
UCS only available for 64 bit#
UCS 5 is only provided for the x86 64 bit architecture (amd64). Existing 32 bit UCS systems cannot be updated to UCS 5.
Simultaneous operation of UCS and Debian on UEFI systems#
Please note that simultaneous operation of UCS and Debian on a UEFI system starting with UCS 5.0 is not supported.
The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS cannot be booted (any more) after the installation of or an update to UCS 5.0. A subsequent installation of Debian will also result in UCS 5.0 not being able to boot.
At the following help article further hints to this topic are collected: KB 17768.
Local package repository#
This section is relevant for environments where a local repository is set up. The installed (major) version of UCS determines which packages a local repository provides. A repository running on a UCS server with version 4.x will only provide packages up to UCS 4.x, a repository server running on UCS 5 will only provide packages for UCS 5 and newer versions. To upgrade systems to UCS 5 in an environment with a local repository, the following are some of the options. First, a local UCS 5 repository server must be set up.
A new UCS 5 system is installed as a Primary Directory Node from the DVD or from a virtualized base image. Then a local repository is set up on this system as described in UCS Manual [2].
A new UCS 5 system is installed with the system role Backup Directory Node, Replica Directory Node or Managed Node from the DVD or from a virtualized base image. In system setup, select that the system will not join a domain. Then set up a local repository on this system as described in UCS Manual [2]. After the Primary Directory Node used in the domain is upgraded to UCS 5, the UCS 5 repository server can join the domain via univention-join.
To upgrade a system in the domain to UCS 5, the server should first be upgraded
to the latest package level available for UCS 4.x. Then the repository server
used by the system is switched to the local UCS 5 repository by changing the
Univention Configuration Registry Variable repository/online/server
. The system can
now be upgraded to UCS 5 via the Univention Management Console or via the command line.
Preparation of update#
Manually crafted Python code needs to be checked for compatibility with Python 3.7 before the Update and adjusted accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD-Connector mapping templates are an example for this. See also the Univention Developer Reference [3] for advice.
When multiple instances of the AD Connector are operated as described in Synchronization of several Active Directory domains with one UCS directory service, an adjustment of the mapping configuration is needed and Python 3.7 compatibility must be ensured before the update. KB 17754 describes the steps.
It must be checked whether sufficient disk space is available. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 1-2 GB additional disk space to download and install the packages, depending on the size of the existing installation.
For the update, a login should be performed on the system’s local console as
user root
, and the update should be initiated there. Alternatively, the
update can be conducted using Univention Management Console.
Remote updating via SSH is not recommended as this may result in the update procedure being canceled, e.g., if the network connection is interrupted. In consequence, this can affect the system severely. If updating should occur over a network connection nevertheless, it must be verified that the update continues in case of disconnection from the network. This can be achieved, e.g., using the tools tmux, screen and at. These tools are installed on all UCS system roles by default.
Univention provides a script that checks for problems which would prevent the successful update of the system. Prior to the update, this script can be downloaded and executed on the UCS system.
# download
$ curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.0-2{.gpg,}
# verify and run script
$ apt-key verify pre-update-checks-5.0-2{.gpg,} && bash pre-update-checks-5.0-2
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Post processing of the update#
Following the update, new or updated join scripts need to be executed. This can
be done in two ways: Either using the UMC module Domain join or by running the
command univention-run-join-scripts as user root
.
Subsequently the UCS system needs to be restarted.
Notes on selected packages#
Collection of usage statistics#
Anonymous usage statistics on the use of Univention Management Console are collected when using the UCS Core Edition. The modules opened get logged to an instance of the web traffic analysis tool Matomo. This makes it possible for Univention to tailor the development of Univention Management Console better to customer needs and carry out usability improvements.
This logging is only performed when the UCS Core Edition license is used. The
license status can be verified via the menu entry UCS Core Edition
is listed under License type, this version is in use.
When a regular UCS license is used, no usage statistics are collected.
Independent of the license used, the statistics generation can be deactivated by
setting the Univention Configuration Registry Variable umc/web/piwik
to false.
Recommended browsers for the access to Univention Management Console#
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Cookies need to be permitted in the browser. The following browsers are recommended:
Chrome as of version 85
Firefox as of version 78
Safari and Safari Mobile as of version 13
Microsoft Edge as of version 88
Users running older browsers may experience display or performance issues.
Changelog#
You find the changes since UCS 5.0-1 in Changelog for Univention Corporate Server (UCS) 5.0-2.
Bibliography#
- 1
UCS performance guide. Univention GmbH, 2021. URL: https://docs.software-univention.de/ext-performance/5.0/en/index.html.
- 2(1,2)
UCS Manual. Univention GmbH, 2021. URL: https://docs.software-univention.de/manual/5.0/en/.
- 3
Univention Developer Reference. Univention GmbH, 2021. URL: https://docs.software-univention.de/developer-reference/5.0/en/index.html.