With UCS 4.3 we have integrated numerous security updates – most recently the Samba 4 update of March 13 – and closed hundreds of bugs. But not only, we also focused, among other things, on a significantly higher performance during data import and more convenience in the administration of portal pages or users, for example. In addition to an efficient and easy management of UCS, it was also important to us to create a positive user experience with UCS. Here, worth mentioning milestones are certainly a single sign-on during login to Windows or Linux desktops, which in parallel allows access to the Univention Management Console, Office 365, and ownCloud or Nextcloud, just to name a few of the improvements.
With UCS 4.3 we took another resolute step in the development of UCS into an open platform for IT operations and management in enterprises – whether it is a small organization with just a few users or organizations with hundreds of thousands of users.
It could not be easier – Manage online portal with Drag & Drop and Visual Composer
The online portals released since UCS 4.2 give administrators easy access to services in the IT environment. They are a great success and used by more and more organizations. The adaptation of a UCS portal page, for example by adding new entries or customizing the layout to the organization’s individual design, was already possible. However, the implementation was not always intuitive.
What’s new in UCS 4.3 is that administrators can now administer the portal directly with the help of a ‘Visual Composer’, allowing them to immediately see what they are changing. The comfort goes even further insofar that the order of the tiles in the portal can be configured via drag & drop. Further settings can also be made conveniently via a UMC module.
Another new feature is that administrators can allow portal entries for specific groups only. This makes it very easy to define and manage individual and user group related portals. Just imagine a heterogeneously organized corporation with various specialist departments or different locations. Here, the administrator of UCS can now provide tailored access to exactly those IT services and resources that are needed. The same applies to school authorities who, of course, have to provide the users, for example, in local elementary schools with completely different IT services than those of the local grammar schools.
All this makes UCS 4.3 even easier to use as a central portal for accessing the organization’s IT. Easy administration for everyone, whether small organizations or large ones.
Active Directory Connector for Windows Server up to version 2016
Administrators can use the UCS tool ‘Active Directory Connector’ to manage Windows Servers up to version 2016. By joining UCS into an Active Directory domain, they can provide numerous open-source applications in Windows environments, such as ownCloud, Nextcloud, Mattermost, and Kopano.
Usability simplifications in the management system
The identity management system has always been at the heart of UCS to centrally manage digital identities. The administrators can assign specific properties to the respective users via the UMC, for example, to grant necessary access rights or group identities. As these properties, for example, Samba, Kerberos, POSIX or Mail have increased more and more over time, in particular new users didn’t know exactly from the start what’s actually covered by all these properties. In addition, there were interdependencies among them which could lead to problems.
With UCS 4.3, we have implemented a significantly simplified system for the assignment of user properties, with which all required properties can be easily assigned to the users.
For example, with UCS 4.3 only three different user types remain:
- Users to whom all properties are assigned.Simple authentication accounts – These can only connect to the
- LDAP, but have no way to log in elsewhere.
- Pure address book entries for the maintenance of internal and external identities, for example, to create address lists.
Even if you already operate a previous version of UCS, this new functionality is easy to use. During the update to UCS 4.3 the existing entries are migrated to the three new types based on the available information and the users are automatically assigned to one of them.
In the course of standardizing these options, we have also been able to simplify the two properties for locked and disabled users.
New in UCS: Integration of the attribute memberOf
A technical innovation is the integration of the attribute memberOf. Many applications using the UCS LDAP directory try to query the group properties via the memberOf attribute. Previously, this attribute could be optionally activated on UCS. As of UCS 4.3, this is enabled by default.
Docker and other apps for UCS 4.3
The Univention App Center continues to support both the installation of native packages of apps directly in the UCS system as well as the installation and configuration of Docker images of the apps.
For these two different methods, different libraries with different feature sets were used. This has now been unified with UCS 4.3, which in turn simplifies the maintenance of this library.
Many of the apps from the Univention App Center are already available for UCS 4.3. Among other things, of course, all Docker-based apps. Further apps are currently in the release process by the respective manufacturers and will be released in the next few weeks for UCS 4.3.
Connection of SAML with Kerberos for more single sign-on
From UCS 4.2, the single-sign-on protocol SAML is supported and Out -of-the-Box is configured.
With UCS 4.3, SAML authentication is now linked to the Kerberos login. This means that a user who logs in, for example, to Windows or Linux (Ubuntu) and then wants to access web applications such as the Univention Management Console, Office 365 or ownCloud or Nextcloud, no longer needs to log in again as the login to connected apps can be done automatically.
These single sign-on mechanisms extremely ease the use of enterprise IT, because the users do not need to remember different passwords and complete multiple signup sessions.
New Samba for massive performance enhancements
Samba has been updated to version 4.7 in UCS 4.3, and at the same time, we have also included the latest security update of March 13, which closed a critical Samba vulnerability in the access control for password changing permissions.
Samba 4.7 brings important improvements in the field of Active Directory domain controllers. The multi-process implementation of the Samba LDAP server significantly improves the performance. We were able to demonstrate an acceleration by a factor of four in internal tests. The replication of group memberships now also needs significantly fewer resources. Both processes bring significant improvements, especially in large environments such as at school authorities.
With UCS 4.3 it is no longer possible to provide Windows NT based domains. The old so-called “Samba 3 domains” must be updated to a Samba Active Directory domain / Samba 4 before an update to UCS 4.3.
Inclusion of Debian 9 brings 20,000 updated base packages for UCS 4.3
Also, the technical basis of UCS 4.3 has changed a lot. UCS is now based on Debian 9 (Stretch) which involves an update of almost all packages in UCS. In addition, we have now managed to switch to the standard Debian kernel. Only for the support of UEFI Secure Boot is the kernel additionally signed. Overall, this increases the compatibility with hard- and software systems that are Debian-certified.
Some examples of new enhancements to Debian Stretch integration:
Enhanced security
The compilation of ‘position independent executables’ (PIE) is the new default setting of the Debian GNU GCC-6 compiler. By this the majority of all executable files now support ‘address space layout randomization’ (ASLR), which makes it much more difficult for a number of exploits to take advantage of vulnerabilities.
In addition, APT now rejects weaker checksums (e.g. SHA1) by default. Stretch includes the ‘modern’ branch of GnuPG in the gnupg package which includes, among other things, elliptic curve cryptography, better default settings, a more modular architecture, and an improved smart card support.
Name Assignment
The installer and the newly installed Debian 9 system use a new way to specify the names of network interfaces. The new method uses more data as a basis to achieve a more reproducible result and uses the index numbers provided by firmware or BIOS.
Another important update in the area of the basic packages is the replacement of the MySQL database by MariaDB and the replacement of Nagios 3 by Nagios 4 as the standard monitoring system.
Updates for the Mailstack
The mailstack in UCS is used by thousands of users. Either directly, if UCS itself is used as a mail server or if another groupware, such as Open-Xchange, Kopano, Tine 2.0 or EGroupware, runs on UCS and uses the UCS mail stack in the background.
Administrators can configure environment-specific configurations using their own file instead of overwriting the templates provided by UCS. This reduces administration costs for pending updates.
With UCS 4.3, the Cyrus IMAP server is no longer supported, only Dovecot is. Users of the Cyrus IMAP server must therefore migrate to the Dovecot IMAP server before updating to UCS 4.3. In addition, Postfix has been upgraded from version 2 to version 3. As a result, UCS 4.3 now includes many detail improvements in the area of the Mail Transfer Agent.
We are very curious to know your opinion on UCS 4.3, which changes you consider particularly successful and which ones not as good. And, of course, we appreciate very much any hint from you for further improvements.
More information and an overview of the release highlights can be found in our release notes.
Download the new UCS 4.3 free Core Edition or start it as a virtual appliance by visiting our download area.