When administrators think about user management (IdM), they often only keep an eye on traditional IT systems. But even in the cloud, where you can buy new services with just a few clicks, it’s extremely important for companies to keep control over their users if they do not want to lose control over who has rights and access in the organization. Otherwise, a dissatisfied or dismissed employee can quickly become a real threat to the entire corporate IT. Or the failure of subsystems can mean that the entire IT can no longer be accessed and all processes in the company are stopped.
The Univention Portal is the central hub via which users access a Univention system. It is where you can find links to installed applications like webmail. In addition, administrators also have the option of including their own links to external websites. Last, but by no means least, there is also a module here with which users can change their own password.
Univention supports personalization of the portal’s start page – in the best-case scenario, this not only ensures compliance with your corporate identity, but also allows users to identify better with Univention. For example, it is possible to place a number of different applications on the start page, permitting users direct access to them. Yet another option is even more evident immediately: In just a few steps, the portal can be customized with a large-scale background image and a portal logo. Domain administrators can perform this step quickly and with minimal effort.
The LDAP server in UCS, like the Active Directory on a Windows server, stores all the information on your domain about all your resources from hardware to employee as objects, namely in a structured and well-defined manner. Every object has some defined attributes of a particular type. Common attributes of a user object are, for example, the user’s surname, password and further valuable information on him. Part of the LDAP is the LDAP schema, which provides the administrator with a clear overview on all objects by describing which types of attributes exist within the LDAP and what attributes they have.
So, if you want to include additional attributes or create entirely new object types, extending the schema might be the way to go.
If you need to use various services online, which is by the way the norm, there’s nothing more conventient than using single sign-on (SSO). SSO allows you to log in to all available services in a domain with one password only. UCS provides this feature via the SAML Identity Provider since UCS 4.1.
We chose to implement SAML as the first single sign-on technology in UCS, because of its popularity in the enterprise sector, the high degree of security, and the positive experiences that we ourselves had made with SAML in the years before. Since then, a lot of services and Univention Apps already provide a SAML service provider. Now, we are working on integrating these into the UCS Identity Provider.
Step by Step Guide to a Multi-Server Environment for Effective Protection against Outages and Network Attacks
The cumulative outages of the Amazon Web Services and the attacks on the global DNS network have shown that even large and supposedly professionally protected networks are endangered, too. These incidents also make us aware of the need to distribute critical infrastructures across multiple cloud providers. This distribution is particularly important for centralized authentication services, which provide users and permissions for various services and organizational offices. An outage of a single server system would be a catastrophe for services like AWS where thousands of users and their permissions would be affected simultaneously. This is why I would like to explain to you how you can safeguard your network against outages and criminal attacks. Even if the dimension of your network probably is not comparable to the one of AWS or the DNS network.
In the following article, we first explain briefly what a domain is and then describe the tasks of a domain controller. Finally, we become practical and see how the concept of “domain/domain controllers” has been implemented in Univention Corporate Server.
Since the last update, there is a now a new feature in the Univention App Center: “App Settings”. It allows simple configuration of an App from within the Univention Management Console. We developed this new feature so as to allow App Providers to improve the integration depth of an App in UCS and simplify the set-up of an App considerably with easy-to-use tools.
Workplaces become more remote and mobile while individuals are increasingly equipped with (private) mobile devices. In this context it is good to know about RADIUS, because private end devices require simple access to an organization’s network. At the same time you need to avoid that these devices open the doors for malware or leakage. RADIUS is such an instrument for the construction of secure, decentralized work structures and equally a powerful tool for the authentication of mobile device accesses to networks.
In the following, we like to give you a brief understanding of what RADIUS is and how you can use it with UCS.
Samba 4 has become the tool of choice for companies with diverse clients that seek a Linux-based central identity management. However, a growing number of organizations are offering work from home options and manage distributed operations like construction companies with a computer at every construction site or an insurance provider with several offices. The securing of all authentication processes when employees log in your network also from outside, is critical to protect your data.
But how to do that?
You need to add a VPN solution which starts before the login if you want to enjoy the advantages of single sign-on and policies that Samba provides. The following how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.
More than two years after the start of one of the largest projects in which Univention has been involved to date, a new mail platform with over 30 million managed end users finally went online in late 2016. UCS takes care of the identity management duties for all the user accounts.
I first reported on the challenges of the project almost a year ago in the article How can OpenLDAP with UCS be scaled to over 30 million objects?. However, it is now no longer a “gray theory” – the project has now gone live and the LDAP has had to cope with the strain of thousands of accesses every second in real time ever since.
Today, I would like to provide you with an update and share with you some of our most important findings from the going live process.