With the second patch level release of UCS, we’re bundling all the new developments from recent weeks into fresh installation media. In addition to many improvements that have already been published as errata, this release also includes an extension: a unified identifier for all objects managed by Nubus for UCS.
Table of Contents
Unified Identifier for All Nubus Objects
Let’s start with the biggest change: the new “univentionObjectIdentifier,” which is activated with UCS 5.2-2. This attribute, now available on all objects managed by the Nubus component Univention Directory Manager (UDM), introduces an immutable and globally unique identifier.
Such unique identifiers are used to quickly and reliably locate or recognize objects. This is especially important when implementing connectors to other systems, so users and groups in UDM can be mapped to objects in the connected system. This also ensures that in log files, the affected object can be uniquely identified in a single log line.
Previously, there were already some attributes that could act as identifiers, such as a user’s login (in LDAP: uid), a group’s name (in LDAP: cn), or the OpenLDAP database ID (entryUUID). However, these all have individual limitations: most existing identifiers can change over time — for example, a user’s login or a group’s name. if such an identifier changes, complex special handling is required to maintain mappings to other systems. The entryUUID from OpenLDAP is indeed immutable, but it was primarily designed as an internal identifier by OpenLDAP. As a result, UDM could not return an identifier during object creation without incurring performance costs from additional LDAP queries.
With the product Nubus, Univention bundles the functionalities for the storage and management of identities and authorizations and the associated end user services Portal and Self Service. Nubus is available both for Kubernetes and as part of UCS.
The univentionObjectIdentifier has actually been available for some time, but it’s now automatically enabled with UCS 5.2-2. From now on, UDM will automatically create an identifier for every new object. For existing objects where this attribute is still empty, its value will be initialized using the content of the entryUUID during the upgrade process. In the UMC “System Diagnostic” module, a plugin checks for complete coverage of all objects of the class “univentionObject” to ensure consistency even in mixed environments with older UCS versions. In large environments, this addition should ideally be performed during periods of low system load. Further information on this is available in the release notes.
Keycloak with New “Ad Hoc Provisioning” Feature
Alongside numerous smaller upgrades since the last patch level release, one notable change is the updated version of Keycloak, now available as version 26 in the App Center. In addition to fixing security vulnerabilities, Keycloak 26 introduces many improvements, including a new token exchange feature for integrating applications.
Univention has also integrated an “Ad Hoc Provisioning” plugin that significantly simplifies connecting UCS to existing infrastructures. With this plugin, users who log in via Single Sign-on with another identity provider (e.g., Active Directory) automatically receive a user account in Nubus. This allows users from trusted sources to directly access applications connected to Nubus. Detailed examples will follow in upcoming blog articles.
Performance and Security Improvements
In UDM, noticeable performance improvements have been implemented in several areas for large environments. Deleting computer objects and editing groups are now significantly faster.
In very large and older environments with many changes in the directory service, fragmentation of the OpenLDAP database backend had also been identified as a performance bottleneck. A new diagnostic module now indicates whether this issue is present in your environment and points to a tool that can easily fix the fragmentation.
Further Information
A complete overview of all changes and upgrade instructions can, as always, be found in the release notes for UCS 5.2-2. If you have any further questions, our Support Team or the Help Forum at help.univention.com are always available to assist you.
