When people think of Schwäbisch-Hall, they most likely think of the building society of the same name or a picturesque old town (which is well worth a visit, by the way). Maintaining the latter is just one of the many tasks of the city administration. And the days of pencils and paper files are slowly coming to an end here, too. Modern IT ensures that the more than 900 employees can access their mails, appointments, contacts and files at any time and from any place.
Table of Contents
Dealing with the Past
Identities and access rights need to be managed for all employees and for all systems used. The system used for this purpose worked very well for a long time. Unfortunately, this system was maintained externally and there was no in-house knowledge transfer in this regard. As a result, the IT department was unable to build up its own knowledge for the maintenance and further development of the system. However, open source (and the system in question certainly falls into this category) is of little use if no one can or wants to maintain the source code. Human resources in IT, especially in the public sector in a rather small municipality, are very limited. Matters were complicated further by the fact that various other programs had been added in the meantime, which, for the reasons mentioned above, could not be managed at all by the old system.
The Search
Identity management is not difficult; there are plenty of corresponding systems. That is what we thought, and so we set out to find one. Schwäbisch Hall is an open source municipality, which is why the desire for an equally open IDM was evident. We did not want to make it a condition for the search, the competition should give everyone a chance. Only the no-spy-clause of the BMI had to be fulfilled.
It was somewhat surprising to see that Univention was the only manufacturer to respond positively to the request. Actually, I was surprised by the fact that all other IDM apparently have difficulties with this no-spy clause. And I was even more surprised that there seem to be enough customers using such systems.
At any rate, the circumstances simplified the choice to the maximum. Looking back, I have to admit that it was not without some pain in the stomach at first: we would have liked to have more options at that time. But we did not know how the migration would proceed. Now it was clear that the journey would go in the direction of Univention Corporate Server from Univention. UCS is open source, but its core component is a strong identity management system that can be easily integrated with services via the company’s own App Center or interfaces, centrally administered and made available via a portal.
The Requirements
It was important for us to continue to manage user information such as group memberships, password changes, user details, etc. in one central location. Our previous self-developed administration system already replicated all changes to the respective connected services. It was now our goal to make our system future-proof and to organize the administration of the users with a standardized procedure in a product that is continuously maintained and supported by a manufacturer.
The Preparations
Strictly speaking, the migration began long before the actual migration: after signing the contract, we had our first talks with the technicians from Univention. We had a direct contact person who turned out to be immensely competent and was thus able to quickly establish good rapport with our system administrators. Everyone involved quickly realized that the technical basis of our system was not so different from that of UCS. Based on this realization, a migration plan was quickly drawn up.
The Notifier-Listener mechanism used in UCS would henceforth handle the replications of user data to the individual services. Unlike in the past, the central services such as LDAP, DNS, DHCP and the Samba-based Active Directory Windows services were to be designed redundantly to ensure reliability. This made sense because the UCS domain concept, which is based on a multi-server approach, provides the technical basis for distributed and redundant services right from the start.
One of the services we wanted to continue using was the OX App Suite. It was previously running on a Dovecot server and was to be moved to UCS, also because the Notifier/Listener-based user management, e.g. renaming or deleting mailboxes, works with it. The existing OX App Suite was to be provisioned via the UCS OX Connector. This makes it possible to use an OX App Suite that does not run on a UCS system and to synchronize users and groups between the two services.
A direct migration of all functions would have been very complex. Together with Univention, we therefore decided to transfer the information about users, groups and computers from the existing Samba AD to UCS using the UCS Active Directory Takeover. It was actually designed to migrate a Windows-based system, but was suitable for our requirements with minor adjustments. With the takeover, all of the existing 500 client computers, in our case Linux clients, work with the new system without any further changes. This was a prerequisite for being able to complete the migration within the planned short timeframe. Another positive side effect was that users would hardly notice the change, and, once it was successfully completed, could simply log in with their existing user names and passwords and continue to use all associated services.
To practice the migration in advance, a complete test installation was set up in which both a digital twin of our current system and a UCS were installed. We were thus able to run through the migration in advance together with Univention. Once again, the now well-known advantages of virtualized environments became apparent: not only could the test environment be set up quickly, but it could also be easily copied or reset to an old state at any time using snapshots and clones. For those of us who are younger, this may sound like an everyday occurrence, but for those of you who, like me, remember the days before virtualization, you will certainly understand my enthusiasm.
Through the various tests, we were able to clean up our data inventory (which turned out to be the main source of errors during the test migrations) and Univention prepared appropriate scripts to automate the actual migration as much as possible later on. Previously, we had identified the data stored in the old management system and decided what information was still needed and in what form it should be migrated to the new system.
Here is an example: In our old system, there was a 2-factor authentication for a login process where a login token was sent via SMS message. The mobile phone numbers stored in the system for this purpose should remain available and could be easily transferred to the new system using the UCS standard function “extended Attributes”. In this way, proven individual services and the data required for them can be transferred to the new standard system.
With these preparations and the experience gained from the test migrations, we were able to derive a schedule for the actual migration: it would take us just under two days. Since IT projects of a certain complexity always run differently than planned, we added a buffer and scheduled the start for Friday at noon. The users were informed well in advance and were regularly reminded – during the migration no login to the system, i. e. virtually no work at all is possible.
The Migration – Time Play
Until Saturday noon everything went according to plan. In the evening there was supposed to be a big summer fair in Schwäbisch Hall. It looked like we could celebrate the successful completion of the project there. But then the first problems arose: we had simply overlooked some very special use cases. This is where the fact that our IT team is very young (in terms of years of service) paid off: at the time of the migration, everyone involved had been with us for less than a year. However, the problem was much older, so no one had noticed it (yet).
Fortunately, the Univention technician with whom we had planned everything in advance was on site during the migration. We had insisted on this. Probably everything could have been done remotely, but it was easier this way. In the end, thanks to his expertise, we lost less than an hour before we found the solution. We briefly considered a rollback (we had left this backdoor open as long as possible), but with the solution in mind, we all agreed to move forward. This was effectively the legendary point of no return: we would not have had time to roll back.
Implementing the solution proved to be very time-consuming: due to a lack of preparation, we were not able to automate the process, and had to make some manual adjustments in dozens of places. By the evening, it was clear to everyone involved that we were losing focus. So we decided (which might surprise the reader) to go to the summer fair. A good decision, stress was noticeably reduced. Of course, it was not a very long evening, but it did us good and on Sunday morning we were all back on the floor, well rested and motivated. Almost two hours later it was clear that we were going to make it. Around noon everything was done and the afternoon was spent in a relaxed mood, with testing the completed and writing down the open points (anyone who has ever carried out a project of this magnitude knows that you never end up with 100 percent).
Case of Emergency
Even though we were sure we had done a good job, I think none of us really slept well Sunday night. We all know the situation: we have tested everything possible, but only the hard day-to-day business will show whether it really worked. On Monday, everyone was in the office early. We wanted to be ready for the early birds. Of course, there were a few hiccups, but all in all it was a relaxed Monday. At least as far as the UCS is concerned, it was followed by many more relaxed working days until today. So far, no one in our company has regretted the decision to make this change.
If you are interested, you can find Mathias Waack’s entire talk (in German) at the Univention Summit 2023 on our YouTube channel.