We have just published the seventh point release: UCS 4.4-7 comes with various improvements and some new features, for example in the Self Service app and in the portal. We have also added a new Samba version and worked on the S4 Connector. In this article, I’d like to describe the most important changes.
UCS Self Service, Single Sign-on via SAML
A great advantage of Univention Corporate Server is that users can use their credentials to log into completely different computers and also have access to all services in the UCS domain. With the initial 4.4 release, we introduced the new app Self Service, which allows users to make changes to their personal data; they don’t need admin rights in order to make these changes. This includes changing and resetting the password as well as editing the contact information.
The new UCS version 4.4-7 also supports this feature when a user is logged in via SAML using single sign-on (SSO). While we were at it, we added some extra security – after all, SSO is a central service that allows access to all authorized programs and services. Users with an expired password who enter an incorrect password in the password change dialog used to receive a corresponding message. This allowed unauthorized persons to find out whether a password for a particular account had expired. With UCS 4.4-7, this is no longer possible. In addition, certain files created by the listener on the server now receive correct file permissions. This way they’re available for the SAML service, but not for other users.
Cookie Banner for the UCS Portal
UCS admins activate the new cookie banner with the UCR variable
umc/cookie-banner/show. We’ve added two more variables which define the text shown on the banner. The German version is set via
umc/cookie-banner/text/de="Deutscher Text" and the English version with
Samba, S4 Connector, and AD Connector
We have upgraded Samba from version 4.10.1 to 4.10.18, which solves the problem with the Zerologon exploit (CVE-2020-1472). This vulnerability theoretically allows an attacker to gain control of an AD domain controller. After they’ve installed the Samba update, admins can disable the option secure channel for single UCS systems in the Samba configuration file smb.conf. It is therefore no longer necessary to deactivate the option globally.
We have also adapted Samba and the S4 Connector in a way that disabling the deprecated DES encryption no longer causes rejects during synchronization, for example when creating a new account or changing the password of an existing one. We have also fixed a problem of the S4 Connector and the AD Connector: user objects which were moved or deactivated were still assigned to groups that were no longer relevant for them – the new version no longer does that.
More Disk Space: Old Kernel Versions and Backups
Every new kernel of the operating system requires space on the hard disk, and old versions are not automatically removed during an update. To save UCS admins from having to search for the corresponding packages in the package manager, the new
univention-prune-kernels command offers to clean up. The Python script searches for obsolete kernel versions on the UCS system and removes them. Of course, the running kernel is not affected.
More disk space was also our goal when updating our backup script. It creates daily backups of OpenLDAP and Samba, among other things. The default settings made sure the script never deleted old backup copies. Depending on the size of the directory service, quite a large amount of data accumulated over a long period of time, and admins received warnings about no space being left on their device. UCS 4.4-7 sets a default value for the UCR variable
backup/clean/max_age, which defines an age limit for the backups. New UCS installations set the variable to 365 (days), on updated systems admins can decide if they want to configure the limit or not.
Other Improvements: Stability and Security Updates
We have improved the join process in large UCS environments. Especially installations with 50,000 accounts and more benefit from these enhancements. The timeout when waiting for synchronization of a specific system user is now set to a default value of 3 hours; longer or shorter thresholds can be configured with the UCR variable
Shell fans should be happy to find some revised commands for maintenance of their UCS systems. The tool univention-run-diagnostic-checks for example now executes all checks if admins don’t specify any parameters; after entering the command it asks for the login credentials. This also happens when admins use the parameter
-t list which gives an overview of all available checks. No authentication is required by the
--help parameter, which no longer lists the available checks.
The tool univention-run-join-scripts now checks the parameters more carefully and no longer starts all scripts by default if the user made a typo.
The Future: Scalability and ACLs
A few features did not make it into the 4.4-7 release, but will be included in some of the next errata updates and, of course, in version 4.4-8 which we plan to release next spring. Since the new features are especially important in large environments, we’d like to share the information now:
- In the future, the UCS management system will be able to make much better use of available processor cores, which means that the UCS portal will be able to handle many more logins per second.
- We have optimized the processing of Access Control Lists (ACLs) when logging into the UCS management system. Only required policies will be loaded, which reduces loading times and speeds up the login process.
The complete list of all changes and bug fixes can be found on our errata page. Additional information can be found in our Release Notes for UCS 4.4-7. And, as always: if you have any requests or suggestions for improvement, please get in touch – leave a comment in our blog or in our forum.
Use UCS Core Edition for Free!Download now
Nico Gulden studied applied computer science and works for Univention since 2010. As technical editor he is responsible for maintenance and expansion of the product documentation. His spare time is dedicated to his family, reading, outdoor activities like cycling, photography, Geocaching and voluntary work with children and young people.