ucs

UCS Univention Corporate Server

Port forwards

Per SSL https://tokoeka.netzwissen.de:8443

Per SSH ssh -p 8422 tokoeka.netzwissen.de

ucr
  • Auslesen ucr dump
  • Setzen ucr set
  • Löschen ucr unset

Beispiel: Ändern der IP über cli.

ucr set interfaces/ens18/address='138.201.52.53'
ucr set interfaces/ens18/broadcast='138.201.52.255'
ucr set interfaces/ens18/netmask='255.255.255.192'
ucr set interfaces/ens18/network='138.201.52.1'
ucr set gateway='138.201.52.1'
ucr set nameserver1='185.12.64.2'

Danach reboot. Achtung nie direkt in network/inerfaces ändern, da alles über templates läuft.

Konfiguration der Objekte im OpenLDAP. Allgemeine Syntax

udm [modulname] [aktion] [option]

Beispiel

udm oidc/rpservice create --set name=<internal_name> \
    --position cn=oidc,cn=univention,$(ucr get ldap/base) \
    --set clientid=<client_identifier> \
    --set clientsecret=<averylongpassword> \
    --set trusted=yes \
    --set applicationtype=web \
    --set redirectURI=<URL_from_client_documentation>

Objekte auflisten

udm oidc/rpservice list

udm oidc/rpservice create --set name=owncloud oidc app \
    --position cn=oidc,cn=univention,$(ucr get ldap/base) \
    --set clientid=<client_identifier> \
    --set clientsecret=<averylongpassword> \
    --set trusted=yes \
    --set applicationtype=web \
    --set redirectURI=<URL_from_client_documentation>

Netzwerkeinstellungen

root@ucs-2370:~# ucr dump | grep interfaces
interfaces/ens18/address: 136.243.85.155
interfaces/ens18/broadcast: 136.243.85.159
interfaces/ens18/ipv6/acceptRA: false
interfaces/ens18/netmask: 27
interfaces/ens18/network: 136.243.85.128
interfaces/ens18/route/route1: net 138.201.52.40 netmask 255.255.255.248 gw 138.201.52.41
interfaces/ens18/route/route2: net 136.243.85.152 netmask 255.255.255.248 gw 138.201.52.41
interfaces/ens18/start: true
interfaces/ens18/type: static
interfaces/ens19/address: 10.10.10.17
interfaces/ens19/broadcast: 10.10.10.255
interfaces/ens19/ipv6/acceptRA: false
interfaces/ens19/netmask: 255.255.255.0
interfaces/ens19/network: 10.10.10.0
interfaces/ens19/start: true
interfaces/ens19/type: static
interfaces/handler: ifplugd
interfaces/primary: ens19
mail/postfix/inet/interfaces: 127.0.0.1
samba/interfaces/bindonly: yes
samba/interfaces: lo <interfaces/primary>
samba/register/exclude/interfaces: docker0

In Kurzform

ucr search –brief interfaces

ucr search –brief bridge

ucr search –brief gateway

https://help.univention.com/t/configuring-static-routes/8120

root@ucs-2370:~# univention-config-registry set interfaces/ens18/route/route1="net 138.201.52.40 netmask 255.255.255.248 gw 138.201.52.41"
Setting interfaces/ens18/route/route1
Multifile: /etc/network/interfaces
ifdown: interface ens18 not configured
File: /etc/dhcp/dhclient.conf
RTNETLINK answers: File exists
ifup: failed to bring up ens18
File: /etc/default/ifplugd
File: /etc/issue
File: /usr/share/univention-management-console/meta.json
File: /etc/welcome.msg
ucr search --brief ^nameserv dns/forward

Jede Änderung am Netz mit

 /etc/init.d/networking restart

bestätigen

LDAP Suche

https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818

Shell Suche erfolgt über einen LDAP User vom Typ "simple authentication account"

lokale Suche

ldapsearch -x -D uid=LDAPsearch,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator

Remote Suche

LDAP Ports

  LDAP Port: 7389
  LDAP Port (SSL): 7636
ldapsearch -H LDAP://10.10.10.17 -x -D uid=LDAPsearch,cn=users,dc=netzwissen,dc=de -W uid=Administrator

UCS bietet auf allen Systemen das Kommandozeilen-Tool „univention-ldapsearch„. Damit ist es „root“ Benutzern möglich, mit dem Account des aktuellproeen UCS Systems auf das LDAP zuzugreifen. Das Tool nutzt im Hintergrund „ldapsearch„, übergibt aber die korrekten Werte für LDAP Server, LDAP Basis und Authentifikation. Es reicht also die Angabe des LDAP Filters für eine Suche:

univention-ldapsearch "(&( objectClass=person)(uid=Administrator))"

LDAP Integration

LDAP Auth Dokuwiki gegen UCS

<?php
/**
 * Univention Corporate Server configuration for LDAP Auth Plugin
 * See https://www.dokuwiki.org/plugin:authldap:ucs for details and explanation
 */
$conf['useacl']      = 1;
$conf['openregister']= 0;
$conf['superuser']   = '@Domain Admins';
$conf['authtype']    = 'authldap';

$conf['plugin']['authldap']['server']      = 'ldap://1.2.3.4:389';
$conf['plugin']['authldap']['starttls']    = 1;
$conf['plugin']['authldap']['usertree']    = 'cn=users, dc=basedn';
$conf['plugin']['authldap']['grouptree']   = 'cn=groups, dc=basedn';
$conf['plugin']['authldap']['userfilter']  = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(uniqueMember=%{dn})))';

$conf['plugin']['authldap']['mapping']['mail'] = 'mailprimaryaddress';>

OIDC OpenID Connect

Kopano Konnectd läuft als Docker Container

systemctl status docker-app-openid-connect-provider.service

Zugang zum Container

docker exec -it $CONTAINER_NAME sh

printenv | grep -i "identifier"
root@idp:/etc/kopano# systemctl status docker-app-openid-connect-provider.service
● docker-app-openid-connect-provider.service - LSB: Start the Container for openid-connect-provider
   Loaded: loaded (/etc/init.d/docker-app-openid-connect-provider; generated)
   Active: active (exited) since Sat 2021-08-28 08:24:23 CEST; 5s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 6322 ExecStart=/etc/init.d/docker-app-openid-connect-provider start (code=exited, status=0/SUCCESS)

und

root@idp:/etc/kopano# docker ps -a
CONTAINER ID        IMAGE                                                                         COMMAND             CREATED             STATUS                       PORTS                   NAMES
152e4906aef3        docker.software-univention.de/openid-connect-provider:2.2-konnect-0.33.11-2   "wrapper.sh"        5 weeks ago         Exited (127) 4 minutes ago                           loving_heisenberg
1f4834f74656        docker.software-univention.de/dudle:1.2                                       "/start.sh"         5 weeks ago         Up 8 days                    0.0.0.0:40001->80/tcp   romantic_dewdney
root@idp:/etc/kopano# 

Service Registrierung per shell

udm oidc/rpservice create --set name=<internal_name> \
    --position cn=oidc,cn=univention,$(ucr get ldap/base) \
    --set clientid=<client_identifier> \
    --set clientsecret=<averylongpassword> \
    --set trusted=yes \
    --set applicationtype=web \
    --set redirectURI=<URL_from_client_documentation>

Siehe https://docs.software-univention.de/handbuch-4.4.html#domain:oidc

Kopano Connect neu starten

root@idp:/etc/kopano# systemctl stop docker-app-openid-connect-provider.service

root@idp:/etc/kopano# systemctl start docker-app-openid-connect-provider.service

Daimler

curl -.v https://sso.daimler.com/.well-known/openid-configuration -H "Accept: application/json"

Netzwissen IDP

Forum

https://ucs-sso.netzwissen.de/auth/realms/forum/.well-known/openid-configuration

Owncloud2

https://owncloud2.netzwissen.de/.well-known/openidconnect/redirect

https://owncloud2.netzwissen.de/.well-known/openid-configuration

Forum

https://meta.discourse.org/t/openid-connect-authentication-plugin/103632

Mail Relay

Problem:

How can e-mails sent to system users be forwarded to another e-mail address? Solution:

The system mail inbox is generally found in the /var/mail/systemmail directory and can only be read by the root user. To forward system mails to another user, the Univention Configuration Registry variable mail/alias/root can be configured.

Additional forwarding is also possible with further UCR variables (e.g.: “mail/alias/systemmail”, “mail/alias/postmaster”).

Setting the Univention Configuration Registry variable:

univention-config-registry set mail/alias/root=<username>@<domainname>

Updating the Postfix alias database:

postalias /etc/aliases

Reloading the Postfix configuration:

postfix reload

Selbstregistrierung

  • ucs.txt
  • Zuletzt geändert: vor 6 Monaten
  • von thommie4