This document summarizes product milestones for Univention Corporate Server (UCS) in 2019 and the outlook for 2020. In 2019, UCS saw the release of version 4.4 and new features like the Admin Diary, self-service password reset, and a UDM REST API. For 2020, UCS 5.0 is planned which will be based on Debian 10 and include a switch to Python 3 and potentially Samba 4.11. UCS 5.0 is targeted for mid-2020 and will focus on migrating core features to apps and improving usability.

1. UCS "Wrap Up": Technische Highlights
2019 und Ausblick 2020
Erik Damrose
Sönke Schwardt-Krummrich
Univention GmbH

2. Product Milestones in 2019 and UCS 5 in 2020
2019
Multi Azure AD syncEnd User Self Service
Admin Diary
Portal
Samba Trusts
UMC Usability
UDM REST API
Samba Provisioning
SAML aliases
UCS@school
Kelvin REST APICorporate Design
2020
UCS 5

3. UCS 4.4-0
●
Release on 2019-03-12
●
Fastest adoption rate in Univention history

4. Admin Diary
●
New app in Univention App Center
●
Centralized logging of important events
●
Creation/modification/deletion of objects
using Univention Directory Manager
●
Installation, update and deinstallation of apps
●
Start, end and eventual failures of domain
joins
●
Start and end of UCS updates
●
Not limited to the events above
●
UMC module for queries and comments

5. Self Service App
●
Change current password
●
Protect account by specifying a
alternative channel
●
E-Mail
●
SMS
●
...
●
Reset forgotten password over
alternative channel

6. Self Service App
●
UDM user wizard optionally sends an invitation link via e-mail

7. Self Service App
●
New dialog „Your profile“
●
Administrators can allow users to
maintain certain attributes of
their user object
●
List of attributes is customizable
(e.g. private address, photo, ...)

8. Self Service App
●
Configuration example:
ucr set
umc/self-service/profiledata/enabled=’true‘
self-service/udm_attributes=’mobileTelephoneNumber,homePostalAddress‘
self-service/ldap_attributes=’mobile,homePostalAddress‘

9. Custom design options for UCS portal, self-service, login
●
Individual branding for portal page, self-service app and login page
now possible via custom CSS files
/var/www/univention/self-service/css/custom.css
/usr/share/univention-management-console-login/css/custom.css
/usr/share/univention-portal/custom.css

12. User module: activation of apps
●
New tab in UMC user module called „Apps“
●
New central point for activation of apps
●
Sub tabs for each installed app
●
Sub tab only visible if app is enabled for user
●
Not all apps have migrated to this new layout yet

13. User module: activation of apps

14. UDM REST API
●
New service allows the remote usage of UDM via a REST API
●
Same actions as for the CLI and UMC possible
●
Dynamic API – depending on installed components and apps
●
Running by default on DC Master and DC Backup systems
●
Already in use by new UCS@school components and eGroupware app

15. UDM REST API – getting started
●
Specification of running API in OpenAPI format available
https://FQDN/univention/udm/openapi.json
●
Manual exploration of the API via Swagger UI
https://FQDN/univention/udm/schema/

16. UDM REST API – Swagger UI

17. UDM REST API – Swagger UI

18. UDM REST API – getting started
●
Specification of running API in OpenAPI format available
https://FQDN/univention/udm/openapi.json
●
Manual exploration of the API via Swagger UI
https://FQDN/univention/udm/schema/
●
Developer manual
https://docs.software-univention.de/developer-reference-4.4.html
●
Python reference client for UDM REST API
https://github.com/univention/python-udm-rest-api-client/

19. App updates
●
OpenID Connect provider
●
UCS as ID4me compatible login provider
●
Office365 connector supports sync to multiple Azure ADs

20. UCS@school
●
New app „UCS@school Kelvin REST API“
●
New app „UCS@school ID connector“
●
Improvements for exam mode
●
Safety net: auto collect result every X minutes
●
Preparation of exams possible
●
Client computer restart now only required with computer-specific GPOs
●
Basis for a role concept (currently only non-visible changes)

21. Univention Directory Notifier – Univention Directory Listener
●
Notifier and Listener are main components for LDAP replication
●
New protocol version „3“
●
New LDAP database (cn=translog)
●
Introduced in UCS 4.3-3 errata427
●
As of UCS 4.4-0 new installations offer protocol version 3 only
●
Recommendation for updated UCS domains:
disable the old protocol version manually
(UCR variable notifier/protocol/version)

22. Samba 4.10 in UCS 4.4
●
Good cooperation with the Samba team also in 2019
●
Unidirectional Trusts with Microsoft Active Directory Domains
(Windows trusts UCS)
●
Fix for crash of Windows Explorer
●
Fine Grained Password Policies (FGPP)
●
Multiple improvements of NTACL SysVolCheck
●
Multiple detail improvements and security fixes
●
Folder „windows-profile“ is now hidden
●
Samba manageable via UMC system services module

23. S4 Connector
●
Additional configuration file for customizations of S4 connector mapping
●
Additional attributes are now synchronized between OpenLDAP and AD
●
automatically activated on fresh installations starting with UCS 4.4-2
●
sync of attributes has to be activated manually on updated UCS systems
●
Several detail improvements
●
Bugfix for UCS@school that allows the move of users between school OUs
●
Single attributes may be excluded from sync
●
Bugfixes for the conversion between Unix and Windows timestamps

24. UCS 5.x
●
Focus on UCS as a platform
●
Migration of core features to apps
●
Integrate and configure apps automatically
●
Usability improvements – Portal + Single Sign-On
●
Shorter release cycles for major releases
●
Get closer to Debian release cycles
●
Less modifications in minor releases

25. UCS 5.0
●
Based on Debian 10 (Buster)
●
The use of the LDAP overlay memberOf is now mandatory
●
New Samba version
●
Switch from Python 2 to Python 3

26. UCS 5.0 – features/components to be removed
●
i386 support
●
KDE desktop (packages remain in UCS repository)
●
Cleanup of deprecated features (e.g. support of MD5 in certificates)
●
UMC module „Statistics“ use UCS Dashboard app→
●
Other possible candidates:
●
Horde webmailer
●
PyKota print quota
●
NTLM authentication in RADIUS
Feedback is welcome!

27. UCS 5.0 and Python 3
●
Goal: complete switch to Python 3 throughout UCS
●
Transition started already in Summer 2019 in UCS 4.4
●
Make code executable in Python 2 + 3
●
But: some API changes cannot be avoided
●
Not only UCS core is affected but also all apps and extensions
●
All apps and extensions have to be checked for compatibility

28. UCS 5.0 and Python 3
●
Affected software
●
Modules for Univention Directory Listener
●
Modules and syntax definitions for Univention Directory Manager (UDM)
●
also hooks and syntax classes for extended attributes
●
Modules for Univention Management Console (UMC)
●
Templates for Univention Configuration Registry (UCR)
●
Scripts that use UCS python modules

29. UCS 5.0 – Samba 4.11
●
Scaling improvements for large environments
(100k users + 100k computers)
●
Use of prefork model – not one process per connection
●
LDB index mode for <= and >= comparisons – replication speedup
●
Memory efficiency of Samba LDAP server for large search results

30. UCS 5.0 – Samba 4.12 ?
●
Possible candidate for UCS 5
●
This week: Release candidate 1
●
Final version expected in March 2020
●
Samba team is working on compatibility with „Windows 2012 Server“
●
Default AD scheme switches to „2012_R2“
●
The default function level will remain on „2008_R2“ for now
●
Deprecate old protocol versions, e.g. SMB1 – override via UCR is possible
●
Remove weak crypto, e.g. DES

31. UCS 5.0 – when?
●
Mid-year 2020

32. Vielen Dank für
Ihre Aufmerksamkeit
Erik Damrose
Sönke Schwardt-Krummrich
Univention GmbH