Digital Sovereignty is an Indispensable Prerequisite for the Resilience of Our IT Systems – First Lessons from the Corona Crisis

We are in the transition to a “new normal”. However it will look different from the normality before the corona pandemic. Step by step areas of life are being ramped up that until recently were in an unprecedented exceptional situation. This involved a lot of stresses, but it has also brought new and valuable insights into how we can organize our lives. The significance of digital communication options has increased enormously. The use of digital technologies has been accelerated tremendously. It became clear that it is important to have systems that function independently of individual providers or even of foreign countries. Systems that are resilient and can react quickly and effectively to a crisis so that stable conditions can be restored.

Two Standards But One Common Single Sign-on – Integration of SAML and OpenID Connect

The integration of Kopano Konnect in the single sign-on network of Univention Corporate Server is an additional option for users to access a range of various applications that are integrated in UCS via a single, initial login using their user name and password.
The two authentication standards SAML (Security Assertion Markup Language) and OpenID Connect have already been available to UCS users for some time. So far, however, these two technologies have been two separated worlds. If some of the web services used SAML and others OpenID Connect for the authentication against UCS’ identity management, users were forced to log in twice in those environments with multiple services. With the support of the Kopano team, we were able to release an extension of the app “OpenID Connect ID” in the App Center. This is integrating the two standards with each other and thus allows a single authentication process by the end user.
I would like to briefly explain how a single sign-on generally works with UCS. Then I explain the interaction of Kerberos, SAML, and OpenID Connect and show you which functions the new implementation of Kopano Konnect offers to UCS users.

Synchronize Password Hashes between MS Active Directory and UCS

Schaubild: UCS Kerberos-Hashes

Version 4.4-4 of Univention Corporate Server (UCS) comes with some cool new features, one of them being the new AD Connector app. It makes the synchronization of password hashes between a Microsoft Active Directory domain and a UCS domain significantly more secure and less error-prone. While previous versions could only synchronize NTLM hashes, the AD Connector of UCS 4.4-4 also reads newer hashes, the so-called Kerberos keys which allow single sign-on (SSO) to different applications.

I am a second-year trainee at Univention (job description: IT specialist for application development). I was involved in the development of the new feature and mainly had to deal with three tasks: the AD Connector itself, the OpenLDAP overlay module, and the S4 Connector (Samba). In this blog post I’m going to explain what Kerberos hashes are and how I implemented the new feature.

Setting up an Automatic Account Lockout after Failed Login Attempts

By default, UCS users can enter the password incorrectly any number of times without being locked out by the system. In order to make brute force attacks to crack passwords more difficult, admins can set up an automatic lockout that prevents an account from being accessed after a user-defined number of failed attempts.

Univention Corporate Server offers several methods for authentication and authorization. In this blog article I will show you how to log failed login attempts to the system via PAM stack, OpenLDAP and Samba respectively and how you as an admin can set a limit for the number of unsuccessful logins.

Brief Introduction: SAML- a secure, comfortable web access

SSO-SAML-UCS
SAML – meaning „Security Assertion Markup Language“ – is a standard which enables a Single Sign-On (SSO). Users only log in once and are able to use other programs and services automatically. UCS supports SSO with SAML as well. That‘s why users get not only a central identity by using SAML but also a central log-in with UCS, making web-based working more secure and comfortable.

UCS: How to set up LDAP Replication

The central element of every identity management system is usually a directory service, a repository that stores and manages information like user profiles and access privileges, and network resources. Univention Corporate Server (UCS) uses OpenLDAP for this task.
If the directory service is down, many other services are no longer available. In this article we are going to show you how to plan a fail-safe environment for your UCS domain with LDAP replication, i.e., storing an exact copy of the data on multiple servers – this improves the reliability as well as the performance.

Advantages of Roaming Profiles and Folder Redirection to Boost Network Performance + Data Availability

Männerkopf mit Binärcode

Would you like some valuable tips on how to increase network performance and user data availability when using Windows clients together with UCS?

Thinking about user data, many of us admins immediately understand that questions about the issues of backups, privacy, and availability, no matter whether across different machines or outside the office, can create us a considerable headache. But fortunately there are solutions in place and in this article I want to cover two of them: Roaming Profiles and Folder Redirection, arguably the most popular solution to the problem.