The first patch-level release of the year bundles all new features from the past three months onto new installation media – and therefore includes highlights such as the automatic restoration of accidentally deleted users in Active Directory and Samba 4 as well as the Nubus Provisioning Service.
Table of Contents
Provisioning Service for UCS
The new Provisioning Service from Univention Nubus enables applications to be quickly notified about changes to users, groups, and other events within Univention Nubus. It was initially introduced in Nubus for Kubernetes and had been available as a preview for UCS for several months. Since the end of January, it has also been available as a stable release for UCS and can be installed via the App Center.
Compared to the long-established listener plugins in UCS, which are also used to transmit changes such as user modifications to other applications, the Provisioning Service offers several advantages. Its architecture is more scalable – for example, the various connected applications are now served in parallel rather than sequentially.
Access is no longer provided through plugins that must be installed on UCS, but instead via a REST API (“Provisioning API”). Application developers and operators are therefore freer in their choice of deployment location for applications and integrations, as well as in their selection of development environment and programming language.
With the availability of the Nubus Provisioning Service for UCS, we are also closing a gap between our Nubus for Kubernetes and Nubus for UCS offerings. Nubus now provides the same components and interfaces on both platforms. We therefore recommend using the Provisioning API for new integrations so that they can be used with both Nubus for Kubernetes and Nubus for UCS. Information on using the Provisioning API can be found in the product documentation.
Restoration of Users in Samba and Active Directory
With the latest updates for the connectors for Samba 4 and Active Directory, we have completed the planned functionality of the “Recycle Bin” feature of Univention Nubus on UCS.
The “Recycle Bin” makes it possible to keep deleted objects in an intermediate storage location from which they can be restored. If a user or group is accidentally deleted, it can be fully restored from this intermediate storage. All internal technical attributes such as identifiers or password hashes are reset to their original state. The user can continue working immediately, and all connected systems retain the same technical information.
With the latest errata updates, the Samba 4 Connector, which is part of the “Active Directory-compatible Domain Controller” app, as well as the “Active Directory Connector” for connecting to Microsoft Active Directory, have been extended with a restoration function. This can be used both with the “tombstone” implementation that is active by default in Active Directory and with the optionally activatable Recycle Bin functionality, which serves there as intermediate storage for deleted objects.
The connectors recognize when users have been restored in the Univention Directory Manager and notify Samba 4 or Active Directory that the account should also be restored there. This ensures that internal technical identifiers continue to be used there as well. Since the “tombstone” in Active Directory can restore significantly less information, the user objects in Samba 4 or Active Directory are completed based on the information available in UDM – such as group memberships. This restoration functionality can be used bidirectionally.
The setup of the “Recycle Bin” was tested with project partners and has been fully implemented in UCS. The configuration is documented in the UCS 5.2 manual.
The Small Highlights
As always, among the many improvements introduced through errata and app updates over the past three months – in addition to security updates and bug fixes – there are some noteworthy new features:
- Changes to group memberships via the Univention Directory Manager have been further accelerated.
- Installing or updating UDM extensions – e.g., defining new extended attributes – no longer requires restarting the UDM REST API.
- Keycloak is now configured so that user information is updated from LDAP at every login. This ensures that changes to users always take effect at the next login.
UCS 5.2-5 is, as always, available in the download section. Further information about the included changes can be found in the release notes and help article.
