Create an SSO Login for Applications to Groups

Headerbild: SSO mit SAML für UCS-Gruppen
Since the introduction of single sign-on support in Univention Corporate Server (UCS) via Secure Authentication Markup Language (SAML), an administrator can assign a user within the user object to those applications, called service providers in the SAML context, he or she can log in to via single sign-on. As for administrators in organizations with many users, this assignment can be time-consuming.

Two Standards But One Common Single Sign-on – Integration of SAML and OpenID Connect

The integration of Kopano Konnect in the single sign-on network of Univention Corporate Server is an additional option for users to access a range of various applications that are integrated in UCS via a single, initial login using their user name and password.
The two authentication standards SAML (Security Assertion Markup Language) and OpenID Connect have already been available to UCS users for some time. So far, however, these two technologies have been two separated worlds. If some of the web services used SAML and others OpenID Connect for the authentication against UCS’ identity management, users were forced to log in twice in those environments with multiple services. With the support of the Kopano team, we were able to release an extension of the app “OpenID Connect ID” in the App Center. This is integrating the two standards with each other and thus allows a single authentication process by the end user.
I would like to briefly explain how a single sign-on generally works with UCS. Then I explain the interaction of Kerberos, SAML, and OpenID Connect and show you which functions the new implementation of Kopano Konnect offers to UCS users.

Synchronize Password Hashes between MS Active Directory and UCS

Schaubild: UCS Kerberos-Hashes

Version 4.4-4 of Univention Corporate Server (UCS) comes with some cool new features, one of them being the new AD Connector app. It makes the synchronization of password hashes between a Microsoft Active Directory domain and a UCS domain significantly more secure and less error-prone. While previous versions could only synchronize NTLM hashes, the AD Connector of UCS 4.4-4 also reads newer hashes, the so-called Kerberos keys which allow single sign-on (SSO) to different applications.

I am a second-year trainee at Univention (job description: IT specialist for application development). I was involved in the development of the new feature and mainly had to deal with three tasks: the AD Connector itself, the OpenLDAP overlay module, and the S4 Connector (Samba). In this blog post I’m going to explain what Kerberos hashes are and how I implemented the new feature.

Film Tutorial: How to Add a Windows 10 Computer to a UCS Domain

In our 4-minute film tutorial we will show you how to add a Windows 10 computer to your UCS domain. First, we will prepare the UCS domain by installing the software package “Active Directory Domain Controller” from the Univention App Center. The Active Directory Domain Controller is an app which extends UCS with Active Directory functions. This makes it possible to operate an Active Directory compatible domain controller with UCS and thus login to a Windows client. In addition, replication mechanisms are used to synchronize data with other domain controllers.

Setting up an Automatic Account Lockout after Failed Login Attempts

By default, UCS users can enter the password incorrectly any number of times without being locked out by the system. In order to make brute force attacks to crack passwords more difficult, admins can set up an automatic lockout that prevents an account from being accessed after a user-defined number of failed attempts.

Univention Corporate Server offers several methods for authentication and authorization. In this blog article I will show you how to log failed login attempts to the system via PAM stack, OpenLDAP and Samba respectively and how you as an admin can set a limit for the number of unsuccessful logins.

Film Tutorial: UCS Admin Diary for Sysadmins

Every systemadministrator has this problem: When did I set up this one function or when did I change the password? To answer these questions we have developed a diary for sysadmins: UCS Admin Diary. The application provides a quick overview of all administrative events in a UCS domain. This includes software and app installations and updates, creating, changing and deleting users and other directory service objects, and password changes.

Domain Replication Service (DRS) with Samba for Empowering Distributed Environments

In larger environments with thousands of users, you can often find multiple Domain Controller offering authentication and authorization services. For Windows-based endpoints, UCS utilizes Samba 4 to provide these services. In between the different Samba 4 servers, UCS uses the Domain Replication Service (DRS) to keep the server data synchronized. While Samba 4 does a superb job in replicating the data, there are some tweaks you can utilize to optimize the replication, to provide better performance in distributed environments. Let us have a look!

Provide Solutions for Home Office Team Collaboration

In recent days and weeks, many employees retreated to home office to break chains of infection, others plan or would like to do so. But not everyone has the tools to continue working productively and together with colleagues in as many areas as possible. Working remotely and the collaboration of several people from the home office place special demands on the way a team works and on the tools it uses.
As an open hyperintegration platform and with the Univention App Center, Univention Corporate Server (UCS) offers a whole range of different applications which enable effective and collaborative working from the home office. Among the more than 90 applications in the App Center are solutions for file sharing (Nextcloud, ownCloud or Seafile), for project management (OpenProject and the Kanban solution Wekan), video conference (Kopano Meet), real-time communication (Rocket.Chat) or knowledge transfer (MediaWiki Bluespice). All these solutions are also available as virtual appliances with a pre-configured UCS, which you can put into operation with a very manageable effort and make available to your colleagues for the home office.

Brief Introduction: What is a Linux Derivative?

Univention Corporate Server (UCS) and Univention Corporate Server @ school (UCS@school) are Debian derivatives, i.e. operating systems derived from the Linux distribution Debian GNU/Linux. So, what exactly is Linux, what is a Linux distribution, and what does derivative mean? Read on to find out more about these terms and the connection between UCS and Debian GNU/Linux.

Secure Passwords for the UCS Domain

Obviously, your first name, cat’s name or mother-in-law’s birthday are not good passwords. Also password or 123456 (actually to be found on the list of the most frequently chosen passwords!) are out of the question. As the administrator of a UCS domain, you can’t prevent users from writing down their passwords or storing them under the keyboard, but you can tweak other settings to make the system more secure.
Policies can, for example, be used to specify a minimum length or to require users to change passwords regularly. In addition, Univention Corporate Server provides a quality check that forces the use of a certain number of numbers, special characters, uppercase and lowercase letters in passwords. This article presents some tips and tricks for setting up a good password policy in an UCS domain. We also show what variables can be set in the Univention Configuration Registry to optimize the whole thing. If you are using Samba in your environment, this article will also explain how to adjust the password requirements for the Samba domain object to those of the new policy.