Release notes for the installation and update of Univention Corporate Server (UCS) 5.2-0#
Publication date of UCS 5.2-0: 2025-02-05
Release highlights#
With Univention Corporate Server 5.2-0, the second minor release for Univention Corporate Server (UCS) is available. It provides several feature improvements and extensions, properties, as well as, bug fixes. Here is an overview of the most important changes:
Univention Corporate Server 5.2 bases on Debian 12
Bookwormand therefore it updates a lot of packages. As Univention Corporate Server 5.0 based on Debian 10Buster, the intermediate Univention Corporate Server 5.1 based on Debian 11Bullseyeexists.Univention Corporate Server 5.1 is only required for updating, and you must never use UCS 5.1 in production.
However, the update automatically continues up to 5.2 without the need for manual interaction. Univention Corporate Server 5.2 provides up-to-date versions for, but not limited to, the Linux Kernel (6.1.0-28), Samba (4.21.1), OpenLDAP (2.5.13), PostgreSQL (15), Python (3.11), and Docker (4.18.0).
Keycloak replaces SimpleSAMLphp and Kopano Konnect. In Univention Corporate Server 5.2, Keycloak is the only Identity Provider (IDP). This means that Keycloak is the sole component used for authentication and (single-) sign on. Keycloak is already available as an app for Univention Corporate Server 5.0.
The Migration Guide to Keycloak provides information and preparation steps for the update.
Keycloak offers a vast range of features and configurability concerning sign-in and usage scenarios, such as federation, single-sign on with SAML, OIDC and Kerberos, or custom conditional authentication flows. For an overview of tested use cases, see the Univention Keycloak app Manual.
Univention Corporate Server 5.0 supported mixed environments with leading systems updated to 5.0 while other Univention Corporate Server nodes still ran Univention Corporate Server 4. Univention Corporate Server 5.2 drops support for Univention Corporate Server 4 environments. However, it’s still possible to mix Univention Corporate Server 5.2 and 5.0 in one domain.
Univention Corporate Server 5.2 updates Python from 3.7 to 3.11. While Univention Corporate Server 5.0 still supported Python 2.7, Univention Corporate Server 5.2 no longer supports Python 2.7 and removes its support completely.
Univention Corporate Server 5.2 modernizes the web interface and improves the overall look and feel. In particular, it improves the integration of various staggered elements to make navigation easier and highlight significant areas more prominently.
The Univention Configuration Registry (UCR) now evaluates and validates given values according to the configured type to prevent accidental misuse of unsupported values.
Notes about the update#
Prerequisite for updating to UCS 5.2 is that all UCS systems in domain are at least on version 5.0-9 and that the system intended for update is at least on version 5.0-9 erratum 1204.
Important
When installing a Backup Directory Node from the 5.0-9 appliance images or the 5.0-9 DVD, the final domain join fails, if the UCS Primary Directory Node has version 5.2-0.
Start the setup without the domain join and upgrade the system to at least 5.0-9 erratum 1204. Then start the domain join. The upcoming UCS 5.0-10 appliance images and DVD fixes the issue.
Run the update in a maintenance window, because some services in the domain may not be available temporarily. It’s recommended that you test the update in a separate test environment before the actual update. The test environment must be identical to the production environment.
Depending on the system performance, network connection, and installed software, the update can take anywhere from 30 minutes to several hours. For large environments, consult UCS performance guide [1].
Recommended update sequence for environments with more than one UCS system#
In environments with more than one UCS system, take the update sequence of the UCS systems into account.
The authoritative version of the LDAP directory service operates on the Primary Directory Node, formerly referred to as master domain controller, and replicates to all the remaining LDAP servers of the UCS domain. As changes to the LDAP schema can occur during release updates, the Primary Directory Node must always be the first system in the update order during a release update.
Simultaneous operation of UCS and Debian on UEFI systems#
Please note that simultaneous operation of UCS and Debian GNU/Linux on a UEFI system starting with UCS 5.0 isn’t supported.
The reason for this is the GRUB boot loader of Univention Corporate Server, which partly uses the same configuration files as Debian. An already installed Debian leads to the fact that UCS can’t boot (anymore) after the installation of or an update to UCS 5.0. A subsequent installation of Debian results in UCS 5.0 not being able to boot. For more information, refer to KB 17768.
Preparation of update#
This section provides more information you need to consider before you update.
Migration of default IDP service before updating to UCS 5.2#
Starting with Univention Corporate Server 5.2 the Keycloak app replaces SimpleSAMLphp and the Kopano Konnect app as the default identity providers in Univention Corporate Server. Before the update to UCS 5.2 a manual migration of the default identity providers is necessary. You find a detailed description about how to migrate in Migration Guide to Keycloak.
Migration of OpenLDAP database backend from BDB to MDB#
Univention Corporate Server 5.2 no longer supports the database backend Berkeley DB for OpenLDAP. You need to migrate all systems with the database backend Berkeley DB before the update to UCS 5.2. For information about how to perform this migration, see KB 22322.
Mixed environments consisting of both 5.2 and 5.0 nodes#
If you continue to operate Replica Directory Nodes or Managed Nodes in version 5.0 in your 5.2 domain, you must ensure that Python 2.7 is no longer used on these systems, for example in UDM hooks, UMC modules, etc.
If you plan to create a new local software repository on an Univention Corporate Server 5.2 system and want to use this local repository for updating other UCS systems from 5.0-x to 5.2-x, make sure you read KB 23755 for further notes.
Python 3.11 compatibility#
Before you update, verify manually crafted Python code for compatibility with Python 3.11 and adjust it accordingly. This includes Univention Configuration Registry templates containing Python code. Customized AD Connector mapping templates are an example for this. For advice, see the various Python 3 migration sections in the Univention Developer Reference [2].
AD Connector mapping#
When you operate multiple instances of the AD Connector as described in Synchronization of several Active Directory domains with one UCS directory service, you need to adjust the mapping configuration and ensure Python 3.11 compatibility before the update. KB 17754 describes the steps.
Sufficient disk space#
Also verify that you have sufficient disk space available for the update. A standard installation requires a minimum of 6-10 GB of disk space. The update requires approximately 5 GB additional disk space to download and install the packages, depending on the size of the existing installation.
Console usage for update#
For the update, sign in on the system’s local console as user root, and
initiate the update there. Alternatively, you can conduct the update using
Univention Management Console.
If you want or have to run the update over a network connection, ensure that the update continues in case of network disconnection. Network connection interrupts may cancel the update procedure that you initiated over a remote connection. An interrupted update procedure affects the system severely. To keep the update running even in case of an interrupted network connection, use tools such as tmux, screen, and at. All UCS system roles have these tools installed by default.
Script to check for known update issues#
Univention provides a script that checks for problems which would prevent the successful update of the system. You can download the script before the update and run it on the UCS system.
# download
$ curl -OOf https://updates.software-univention.de/download/univention-update-checks/pre-update-checks-5.2-0{.gpg,}
# verify and run script
$ apt-key verify pre-update-checks-5.2-0{.gpg,} && bash pre-update-checks-5.2-0
...
Starting pre-update checks ...
Checking app_appliance ... OK
Checking block_update_of_NT_DC ... OK
Checking cyrus_integration ... OK
Checking disk_space ... OK
Checking hold_packages ... OK
Checking ldap_connection ... OK
Checking ldap_schema ... OK
...
Post processing of the update#
Following the update, you need to run new or updated join scripts. You can
either use the UMC module Domain join or run the command
univention-run-join-scripts as user root.
Subsequently, you need to restart the UCS system.
Please verify the PostgreSQL version on all UCS systems that updated to UCS 5.2. As UCS 5.2 ships Version 15 of PostgreSQL, updated systems may need migration from PostgreSQL 11. For the recommended migration steps, see KB 22162.
Notes on selected packages#
The following sections inform about some selected packages regarding the update.
Collection of usage statistics#
When using the UCS Core Edition, UCS collects anonymous statistics on the use of Univention Management Console. The modules opened get logged to an instance of the web traffic analysis tool Matomo. Usage statistics enable Univention to better tailor the development of Univention Management Console to customer needs and carry out usability improvements.
You can verify the license status through the menu entry of the user menu in the upper right corner of Univention Management Console.
Your UCS system is a UCS Core Edition system, if the License information
lists UCS Core Edition under License type.
UCS doesn’t collect usage statistics, when you use an Enterprise Subscription license such as UCS Base Subscription or UCS Standard Subscription.
Independent of the license used, you can deactivate the usage statistics
collection by setting the Univention Configuration Registry Variable umc/web/piwik to false.
Recommended browsers for the access to Univention Management Console#
Univention Management Console uses numerous JavaScript and CSS functions to display the web interface. Your web browser needs to permit cookies. Univention Management Console requires one of the following browsers:
Chrome as of version 131
Firefox as of version 128
Safari and Safari Mobile as of version 18
Microsoft Edge as of version 128
Users running older browsers may experience display or performance issues.
Changelog#
You find the changes since UCS 5.0-9 in Changelog for Univention Corporate Server (UCS) 5.2-0.
Bibliography#
UCS performance guide. Univention GmbH, 2021. URL: https://docs.software-univention.de/ext-performance/5.2/en/.
Univention Developer Reference. Univention GmbH, 2021. URL: https://docs.software-univention.de/developer-reference/5.2/en/.