“When did I install or remove which app, and when was the last time the password for the UCS server was changed?” Answers to these and many other questions can be found in the Admin Diary, which we introduced with UCS 4.4. It provides a quick overview of all administrative events in a UCS domain, such as software and app installations and updates, creation, modification and deletion of users and other directory service objects, password changes, etc.
Strictly speaking, the new diary consists of two apps that you can easily install in your UCS environment through the Univention App Center: the Admin Diary Backend and the Admin Diary Frontend. The backend collects data from all UCS instances in the domain and stores it in a database. The frontend provides access to this log via a module of the Univention Management Console (UMC) and displays the events.
In this blog article, I will introduce you to both apps and also explain how to run backend and frontend on two different computers. This may be useful, for example, if there already is a dedicated database server in your environment: Then you install the backend there. The frontend will be installed on that system, on which you normally use the UMC (e.g. the Master). Let’s start with the standard option: both on one system.
Backend and Frontend on One System
The backend is the central reference point for the Admin Diary: Here the logging of events happens; all events end up in a relational database. The backend can be easily installed from the Univention App Center. By default it uses PostgreSQL. If MySQL or MariaDB is already installed on the system, the existing database is used instead.
If you want to run the frontend on the same UCS instance, then install this app from the App Center afterwards as well. After you open the app, you see the domain events in chronological order of their occurrence; by default, all entries for the current week are displayed. If you click on an entry in the list, you can comment on it. At the bottom, you can scroll through the log by week; at the top, you have the option of selecting a specific date.
Use the search field to filter the list entries. For example, enter user in the field to show all events that refer only to user accounts. Of course, you can also type a specific user name into the field to see only the messages for this particular account. If you enter
install in the search field, you will see all events concerning installations and deinstallations from the App Center.
Click on the button with the two arrows pointing to the right to activate the advanced search. Here, you will find drop-down menus for filtering reports by tags, events, sources and authors.
The new app Self Service for example enables users to reset their password and edit their contact information themselves. In this article administrators learn how they can use the app to create new accounts without an initial password and also how to automatically send e-mail invitations to new users. Learn more
Backend and Frontend on Different Systems
The frontend does not necessarily have to run on the same UCS instance as the backend, since it can also query the data via the network. As mentioned at the beginning, the backend with the database can be located on an (existing) database server and the frontend can run on the machine on which you normally operate the Univention Management Console. You can also install the frontend app on several servers in the UCS domain, but then you have to make a few minor adjustments to the configuration:
- Open the System / Univention Configuration Registry module via the UMC and search for the
admin/diary/dbmsvariable to enter the database backend (postgresql for PostgreSQL or mysql for MySQL/MariaDB).
- The hostname or IP address of the system on which the admin diary backend is running is displayed next to
- Check the firewall settings (variable
security/packetfilter/package/univention-admin-diary/...); the backend must be reachable for the frontend (port 5432 for PostgreSQL, port 3306 for MySQL/MariaDB and port 10514 for rsyslog).
- Copy the file
/etc/admin-diary.secretfrom the backend server to the system where the frontend is running.
The system with the frontend must also have access to the database called admindiary. It is located on the system with the admin diary backend. If you use PostgreSQL there, then enter the following two commands as user root:
ucr set postgres9/pg_hba/config/01="host admindiary admindiary 192.0.2.0/24 md5"
systemctl restart postgresql
Replace the IP address 192.0.2.0 that is used in the example with the actual IP address of the system on which the frontend is running. Alternatively, enter the host name of the system instead of the IP address. If you use MySQL/MariaDB instead, the command on the backend server is:
echo "GRANT ALL ON admindiary.* TO 'admindiary'@'server.mydom.intranet' IDENTIFIED BY '<ADMINDIARY.SECRET>'" | mysql -p$(cat /etc/mysql.secret)
<ADMINDIARY.SECRET> with the password from
server.mydom.intranet with the actual hostname of the frontend system.
Always in the Know
The Admin Diary is a convenient notepad that lets you always have an overview of when and which changes happened in a UCS domain. The app notes when an administrator adapts LDAP objects, installs, updates and deletes apps, or upgrades the entire UCS system. With the search and filter functions, you can also quickly search for specific events.