With UCS 4.3-2, the second point release for Univention Corporate Server (UCS) 4.3 is now available, which includes a number of security updates and various new features.
New: UCS maintenance mode
UCS 4.3-2 now offers a maintenance mode for importing release updates via Univention Management Console (UMC). UMC is the web-based, graphical user interface for the administration of the entire domain. In the past, when a release update was recorded, short-term failures of the UMC could occur, for example, because the updated services were restarted. This new maintenance mode significantly improves the reliability during the import of release updates via UMC. In addition, you can now track the progress of the updates.
The UCS installer, which is used for the installation of UCS, has been enhanced, too. Already prior to the start of the installaton it now identifies any problems that might occur during the domain join or when the system connects to the Internet. This tool now also points out solutions to resolve possible problems. Administrators thus get warnings of possible inconsistencies in the domain early in the process.
Increased reliability through innovations in SAML
We also improved several things in SAML (Security Assertion Markup Language), which is used for single sign-on in more and more environments. Until now, parts of the configuration were stored in the file system. This meant that those parts needed to be synchronized between different systems. As of UCS 4.3-2, these configurations are now stored directly in the directory service (OpenLDAP) and thus automatically synchronized. This process particularly increases the reliability in distributed domains. SAML is used, for example, in the GSuite or Office 365 Connector but also for the UMC login.
Optimized sync for Active Directory Connector
The Active Directory Connector allows you to synchronize users and groups between a UCS domain and an Active Directory domain including all passwords. The synchronization can be either uni- or bidirectional. During synchronization, it may happen that individual objects can not be synchronized as there may be incompatibilities between the two domains, for example. These objects are stored in so-called rejects. With UCS 4.3-2, new tools are now available with which you can easily delete those rejects individually. At the same time, we added further tools that can be used to resynchronize individual objects or entire subtrees.
App Center: improved remote installations + push mechanism
New functions are also available in the Univention App Center, which makes it very easy to put apps into operation in your domain. An app can be installed in the App Center either directly on a local system or remotely on another UCS system in the domain. In the area of remote installations, we have now improved several minor things that simplify and stabilize the installations. In addition, the startup performance of the App Center has been significantly improved with UCS 4.3-2 . For the expert tool univention-app, which allows the installation and configuration on the command line, we added an option called log. It provides direct access to the Docker log information.
Another highlight: A push mechanism now provides Docker Apps with information on changes of users and groups. For the changes to happen, JSON files are stored in the Docker container. Up to now, you needed the implementation of Univention Directory Listener modules for this process. App provider will benefit most from this as it makes it even easier for them to integrate their apps into the existing user management of UCS.
More details about the push mechanism can be found in the app provider documentation.
KVM for Univention Virtual Machine Manager
With the Univention Virtual Machine Manager (UVMM) you can now manage KVM-based virtual machines in UCS. We have updated the VirtIO driver, which can be used for virtualized Windows systems. Create now snapshots in the GUI of UVMM directly via the context menu and hide the display of the CPU‘s utilization via a configuration. These enhancements make the surface even more customizable to your individual needs.
OpenLDAP logs critical messages directly
A central component of UCS is OpenLDAP, which allows the extremely fast and reliable storage of several million objects. With UCS 4.3-2, we have changed OpenLDAP‘s default loglevel in such a way that critical messages will always be logged directly. This should make it easier to identify potential issues.
Security and usability
Also in terms of security and usability we have optimized UCS in recent months. In most UCS environments, password policies prevent the reuse of the previous password. If these password policies are not activated and a user re-enters the same password during password change, the password synchronization will now be repeated. Beforehand, a synchronization would not have taken place in such a case and also the settings about the need to change the password would have remained.
In addition, various security updates have been integrated in UCS 4.3-2. For example, the update on Samba 4.7.8. This update does not allow default authentications over the NTLMv1 protocol anymore. If very old systems or applications are still in use that absolutely require NTLMv1, you can reactivate this function via the Univention Configuration Registry. We also included other important security updates for Apache 2, OpenSSH and Systemd. Furthermore, we have updated the Linux kernel from UCS to version 4.9.110-8. It mainly includes security and stability updates. New microcode updates for AMD and Intel processors have also been delivered.
Release notes
Find a complete list of changes to UCS 4.3-2 including all CVE numbers in our release notes.
