Dealing with the past
Until the decision was made in favor of the open source solution UCS in 2021, the public administration of Schwäbisch Hall relied on a self-developed identity management system (IDM) to manage identities and access rights. However, this system was no longer suitable for this purpose, mainly due to the external support, the lack of in-house knowledge transfer and the slow build-up of know-how in this area. Schwäbisch Hall began searching for a suitable IDM to efficiently utilize its scarce human resources, provide its approximately 900 employees with centralized access to their e-mails, appointments, contacts, and files, and ensure the administration of new programs.
The goal of this modernization process was to break away from vendor lock-in by using open source software (OSS). In addition, the city wanted to increase the security of its overall IT system, reduce licensing costs, and ensure the compatibility of Linux and Windows systems in a complex, heterogeneous IT landscape with a planned migration to Linux systems.
Realignment of IT with the UCS Open Source Solution
The city’s new IT approach was to deploy Linux-based client computers and introduce a professionally maintained open source-based central IDM for standardized and centralized user management. In this way, the old administration system, which at the time replicated all changes to the respective connected services, was to be made future-proof. User information such as group memberships, password changes and user details were to continue to be managed centrally.
The first challenge of the project was to find a suitable IDM that also met the no-spy clause of the German Ministry of the Interior (BMI). Many IDMs did not comply with this clause and were therefore not considered by the IT department in Schwäbisch Hall. With UCS, an open platform with integrated OpenLDAP and Active Directory functions, services could be easily integrated via the App Center or interfaces, centrally administered and made available via a portal. Mathias Waack, Head of the Organization & IT Department of the City of Schwäbisch Hall, emphasizes: “It was somewhat surprising to see that Univention was the only vendor that responded positively to our inquiry at all. Strictly speaking, I was personally surprised by the fact that apparently all other manufacturers of IDM systems had difficulties with precisely this no-spy clause.”
Arrive well prepared
Knowing that the technical foundation of the old and new systems was similar, a migration plan was quickly developed. To transfer information from the old system to the new solution during migration, a notifier-listener mechanism replicates user data to individual services and central services such as LDAP, DNS and DHCP. The redundant design of the Samba-based Active Directory Windows services ensures failure safety. The OX App Suite e-mail solution, which previously ran on a Dovecot server, was also migrated to UCS.
Prior to the actual migration, a virtual test installation was set up with a digital twin of the current system and a UCS. Snapshots and clones were used to clean up the data in advance and to create scripts and a schedule for an automated migration. User, group and device information from the previous Samba Active Directory was handled by UCS Active Directory Takeover, which was developed for Windows domain migrations, so that when the migration was complete, all 500 Linux client computers were working with the new system without any further changes.