Have you ever faced the challenge of ensuring certain user properties, like usernames or email addresses, remain off-limits for future accounts after deleting a user? The new blocklist feature in Univention Corporate Server Version 5.0-6-erratum-974 is the solution. This article takes a closer look at UDM blocklists.

A Quick Look at the Basics

Blocklists are an essential tool for administrators, enabling them to proactively prevent the reuse of user or group properties. Imagine keeping previously used values like email addresses or usernames locked for a set duration. This function becomes a cornerstone in larger UCS environments, where the cycle of creating and deleting accounts is a regular affair.

So, what exactly are user or group properties? We’re talking about crucial details such as the username (username), first and last names (firstname, lastname), the password (password), and, importantly, the primary email address of a user account (mailPrimaryAddress), along with the email address associated with a group (mailAddress).

You can place any of these properties on one or more blocklists to prevent their reuse. Picture this scenario: in your organization, there’s an employee named Anna Alster with the email a.alster@organisation.de. When Anna leaves the company, her email address, along with her user account, is deleted. Fast forward a few weeks, and a new colleague, Anita Alster, joins the team. According to company policy, she’s assigned the same email address: a.alster@organisation.de. This could lead to an uncomfortable situation where Anita might access Anna’s “old” emails.

With the introduction of the new blocklists in the Univention Directory Manager (UDM), you can avert such scenarios with ease. Administrators have the power to specify in advance which properties are off-limits for reuse and for how long. Once set, the system seamlessly handles the rest.

This article presents the new feature in detail, guiding you through the steps to create, edit, and delete these blocklists. Whether you prefer the intuitive Univention Management Console (UMC) or the command-line agility of the udm tool, managing these lists is straightforward and efficient.

How to activate Blocklists and configure the Cron Job

To use the new blocklists, start by updating all UCS systems where you manage UDM objects. It’s crucial to have the latest UCS version, 5.0-6-erratum-974, running on all your machines. Don’t forget to install any available package updates for each computer too. Conveniently, both these tasks can be effortlessly completed through the Software Update module in the Univention Management Console.

software-update

Next, edit the necessary UCR variable. Navigate to the System / Univention Configuration Registry module and look for the directory/manager/blocklist/enabled entry. Change this variable to true and then save your changes.

edit-ucr

After activating the blocklists, the next step is to set a duration for each. This duration determines how long each block remains effective. Once the specified period expires, the system automatically clears the entries from the blocklist. This removal process is managed by a script, triggered by a cron job every morning at 8 a.m. If you need to adjust this timing, simply edit the UCR variable directory/manager/blocklist/cleanup/cron and input the desired time in crontab syntax in the Value field.

The next two sections will guide you through configuring the blocklists yourself. We’ll cover two methods—once via the Univention Management Console and once on the command line.

Configuring Blocklists via UMC

To manage your blocklists, start by accessing the Domain / Blocklists module. This is your hub for creating new blocklists, as well as editing or deleting existing ones. To initiate a new list, simply click on Add. For this new blocklist, you’ll need to make some key entries:

  • Name: Choose an easily identifiable name for your blocklist. A descriptive, unique name is best, especially if you’ll be managing multiple blocklists.
  • Retention time for objects in this blocklist: In this field, specify the length of time the block should remain in effect. This duration is critical; once it’s surpassed, the blocklist will be automatically deleted. Use time units like y (years), m (months), and d (days) to define this period. For example, entering 2y3m1d sets the blocklist to stay active for 2 years, 3 months, and 1 day.
  • In the Properties to block section, your task is to specify which properties need to be locked from reuse. This is where you identify the UDM modules and their corresponding properties. For instance, if you aim to block the reuse of primary email addresses for user accounts, simply enter users/user in the UDM module field and mailPrimaryAddress as the property.
  • If you need to block additional properties, simply click the plus sign located just below the input fields. This allows you to add more modules and their respective properties to the same blocklist. For example, to block an email address used by a group, add groups/group as the module and mailAddress as the property.

blocklist-settings

Once you’ve configured the blocklist to your needs, click Save to finalize your changes. Remember, the Domain / Blocklists module in UMC isn’t just for creating new lists. You can return to this module anytime to make adjustments or delete existing blocklists.

Configuring Blocklists via Command Line

For those who prefer working outside the web interface, the Univention Directory Manager (UDM) offers a powerful command-line alternative to manage blocklists. Known as univention-directory-manager, or simply udm, this tool requires root privileges for operation. One of the key advantages here is that both UMC modules and UDM provide access to the same domain administration modules. This means you get the same functionality through the command line as you would in the web interface. To explore the range of capabilities and options available, just type udm –help. This command brings up a comprehensive list of all supported parameters and options.

udm-help

When managing blocklists via the command line, use the command udm blocklists/list along with its subcommands to efficiently handle different tasks. These subcommands include:

  • create: Creates a new blocklist.
  • modify: Make changes to an existing blocklist.
  • remove: Delete a blocklist.
  • list: View all the blocklists that currently exist.

To create a new blocklist that excludes a username from reuse for one year, you’ll need to define several parameters in your udm blocklists/list command. Start with a name for the list using –set name=, followed by the time period for the block with –set retentionTime=, and then specify the UDM module and property with –append blockingProperties=. Enclose any expressions with spaces and special characters in double quotation marks. Thus, the complete udm command to achieve this would look as follows:

udm blocklists/list create –set name=Benutzername –set retentionTime=1y –append blockingProperties=”users/user username

When you list the existing blocklists, you’ll see not only this newly created list but also all entries that have been made through the Univention Management Console.

bockliste-list

To delete a blocklist on the command line, use the remove command, the –filter name= parameter, and enter the list’s name:

root@ucs-7559:~# udm blocklists/list remove –filter name=Benutzername

Keep in mind, if the list name contains special characters or spaces, it’s important to enclose it in double quotation marks.

Test Run: User Name Reuse Strictly Prohibited!

If you attempt to assign a user property that’s currently on a blocklist, the system will promptly notify you. The image below illustrates this: it shows an attempt to create an account with the name hej. However, this action is prevented by an existing blocklist that restricts the use of already assigned usernames for one year:

benutzername-blockliste

Effortless and Intelligent Administration Made Easy

The new UDM blocklists are an invaluable asset for user administration. They equip administrators with a robust tool to effectively manage the reuse of sensitive user properties, including email addresses and usernames. This feature plays a crucial role in minimizing potential mix-ups and enhancing security.

Got questions or feedback about the new blocklists? Dive into our manual for a detailed guide on using blocklists in the chapter titled Prevent reuse of user property values. For insights into the command line tool udm, refer to the Command line interface of domain management (Univention Directory Manager) chapter.

 

Image source: Icon created by Octopocto from flaticon.com

Use UCS Core Edition for Free!
Download now

Leave a Reply

Your email address will not be published. Required fields are marked *