UCS Univention Corporate Server
- Support Wiki: https://wiki.univention.de/index.php?title=Main_Page
- Benutzerhandbuch https://docs.software-univention.de/handbuch-4.4.html
Zugang
Konfiguration per shell
UCR - Direkte Konfiguration im System
ucr
- Auslesen ucr dump
- Setzen ucr set
- Löschen ucr unset
Beispiel: Ändern der IP über cli.
ucr set interfaces/ens18/address='138.201.52.53' ucr set interfaces/ens18/broadcast='138.201.52.255' ucr set interfaces/ens18/netmask='255.255.255.192' ucr set interfaces/ens18/network='138.201.52.1' ucr set gateway='138.201.52.1' ucr set nameserver1='185.12.64.2'
Danach reboot. Achtung nie direkt in network/inerfaces ändern, da alles über templates läuft.
UDM Univention Directory Manager
Konfiguration der Objekte im OpenLDAP. Allgemeine Syntax
udm [modulname] [aktion] [option]
Beispiel
udm oidc/rpservice create --set name=<internal_name> \
--position cn=oidc,cn=univention,$(ucr get ldap/base) \
--set clientid=<client_identifier> \
--set clientsecret=<averylongpassword> \
--set trusted=yes \
--set applicationtype=web \
--set redirectURI=<URL_from_client_documentation>
Objekte auflisten
udm oidc/rpservice list
udm oidc/rpservice create --set name=owncloud oidc app \
--position cn=oidc,cn=univention,$(ucr get ldap/base) \
--set clientid=<client_identifier> \
--set clientsecret=<averylongpassword> \
--set trusted=yes \
--set applicationtype=web \
--set redirectURI=<URL_from_client_documentation>
Netzwerkeinstellungen
root@ucs-2370:~# ucr dump | grep interfaces
interfaces/ens18/address: 136.243.85.155
interfaces/ens18/broadcast: 136.243.85.159
interfaces/ens18/ipv6/acceptRA: false
interfaces/ens18/netmask: 27
interfaces/ens18/network: 136.243.85.128
interfaces/ens18/route/route1: net 138.201.52.40 netmask 255.255.255.248 gw 138.201.52.41
interfaces/ens18/route/route2: net 136.243.85.152 netmask 255.255.255.248 gw 138.201.52.41
interfaces/ens18/start: true
interfaces/ens18/type: static
interfaces/ens19/address: 10.10.10.17
interfaces/ens19/broadcast: 10.10.10.255
interfaces/ens19/ipv6/acceptRA: false
interfaces/ens19/netmask: 255.255.255.0
interfaces/ens19/network: 10.10.10.0
interfaces/ens19/start: true
interfaces/ens19/type: static
interfaces/handler: ifplugd
interfaces/primary: ens19
mail/postfix/inet/interfaces: 127.0.0.1
samba/interfaces/bindonly: yes
samba/interfaces: lo <interfaces/primary>
samba/register/exclude/interfaces: docker0
In Kurzform
ucr search –brief interfaces
ucr search –brief bridge
ucr search –brief gateway
Statische Routen setzen
https://help.univention.com/t/configuring-static-routes/8120
root@ucs-2370:~# univention-config-registry set interfaces/ens18/route/route1="net 138.201.52.40 netmask 255.255.255.248 gw 138.201.52.41"
Setting interfaces/ens18/route/route1
Multifile: /etc/network/interfaces
ifdown: interface ens18 not configured
File: /etc/dhcp/dhclient.conf
RTNETLINK answers: File exists
ifup: failed to bring up ens18
File: /etc/default/ifplugd
File: /etc/issue
File: /usr/share/univention-management-console/meta.json
File: /etc/welcome.msg
DNS Einstellungen
ucr search --brief ^nameserv dns/forward
Jede Änderung am Netz mit
/etc/init.d/networking restart
bestätigen
LDAP Suche
https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818
Shell Suche erfolgt über einen LDAP User vom Typ "simple authentication account"
lokale Suche
ldapsearch -x -D uid=LDAPsearch,cn=users,$(/usr/sbin/ucr get ldap/base) -W uid=Administrator
Remote Suche
LDAP Ports
LDAP Port: 7389 LDAP Port (SSL): 7636
ldapsearch -H LDAP://10.10.10.17 -x -D uid=LDAPsearch,cn=users,dc=netzwissen,dc=de -W uid=Administrator
UCS bietet auf allen Systemen das Kommandozeilen-Tool „univention-ldapsearch„. Damit ist es „root“ Benutzern möglich, mit dem Account des aktuellproeen UCS Systems auf das LDAP zuzugreifen. Das Tool nutzt im Hintergrund „ldapsearch„, übergibt aber die korrekten Werte für LDAP Server, LDAP Basis und Authentifikation. Es reicht also die Angabe des LDAP Filters für eine Suche:
univention-ldapsearch "(&( objectClass=person)(uid=Administrator))"
LDAP Integration
Beispiel REDMINE - https://help.univention.com/t/cool-solution-ldap-search-user-simple-authentication-account/11818
Integration Dokuwiki
LDAP Auth Dokuwiki gegen UCS
<?php
/**
* Univention Corporate Server configuration for LDAP Auth Plugin
* See https://www.dokuwiki.org/plugin:authldap:ucs for details and explanation
*/
$conf['useacl'] = 1;
$conf['openregister']= 0;
$conf['superuser'] = '@Domain Admins';
$conf['authtype'] = 'authldap';
$conf['plugin']['authldap']['server'] = 'ldap://1.2.3.4:389';
$conf['plugin']['authldap']['starttls'] = 1;
$conf['plugin']['authldap']['usertree'] = 'cn=users, dc=basedn';
$conf['plugin']['authldap']['grouptree'] = 'cn=groups, dc=basedn';
$conf['plugin']['authldap']['userfilter'] = '(&(uid=%{user})(objectClass=posixAccount))';
$conf['plugin']['authldap']['groupfilter'] = '(&(objectClass=posixGroup)(|(gidNumber=%{gid})(uniqueMember=%{dn})))';
$conf['plugin']['authldap']['mapping']['mail'] = 'mailprimaryaddress';>
OIDC OpenID Connect
Kopano Konnectd läuft als Docker Container
systemctl status docker-app-openid-connect-provider.service
Zugang zum Container
docker exec -it $CONTAINER_NAME sh printenv | grep -i "identifier"
root@idp:/etc/kopano# systemctl status docker-app-openid-connect-provider.service
● docker-app-openid-connect-provider.service - LSB: Start the Container for openid-connect-provider
Loaded: loaded (/etc/init.d/docker-app-openid-connect-provider; generated)
Active: active (exited) since Sat 2021-08-28 08:24:23 CEST; 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 6322 ExecStart=/etc/init.d/docker-app-openid-connect-provider start (code=exited, status=0/SUCCESS)
und
root@idp:/etc/kopano# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 152e4906aef3 docker.software-univention.de/openid-connect-provider:2.2-konnect-0.33.11-2 "wrapper.sh" 5 weeks ago Exited (127) 4 minutes ago loving_heisenberg 1f4834f74656 docker.software-univention.de/dudle:1.2 "/start.sh" 5 weeks ago Up 8 days 0.0.0.0:40001->80/tcp romantic_dewdney root@idp:/etc/kopano#
Service Registrierung per shell
udm oidc/rpservice create --set name=<internal_name> \
--position cn=oidc,cn=univention,$(ucr get ldap/base) \
--set clientid=<client_identifier> \
--set clientsecret=<averylongpassword> \
--set trusted=yes \
--set applicationtype=web \
--set redirectURI=<URL_from_client_documentation>
Siehe https://docs.software-univention.de/handbuch-4.4.html#domain:oidc
Kopano Connect neu starten
root@idp:/etc/kopano# systemctl stop docker-app-openid-connect-provider.service root@idp:/etc/kopano# systemctl start docker-app-openid-connect-provider.service
OpenID discovery .well-known URLs
Daimler
curl -.v https://sso.daimler.com/.well-known/openid-configuration -H "Accept: application/json"
Netzwissen IDP
Forum
https://ucs-sso.netzwissen.de/auth/realms/forum/.well-known/openid-configuration
Owncloud2
https://owncloud2.netzwissen.de/.well-known/openidconnect/redirect
https://owncloud2.netzwissen.de/.well-known/openid-configuration
Forum
https://meta.discourse.org/t/openid-connect-authentication-plugin/103632
Debugging UCS
https://github.com/univention/openid-connect-provider/blob/master/app/settings
univention-app logs openid-connect-provider
Mail Relay
Alias
Problem:
How can e-mails sent to system users be forwarded to another e-mail address? Solution:
The system mail inbox is generally found in the /var/mail/systemmail directory and can only be read by the root user. To forward system mails to another user, the Univention Configuration Registry variable mail/alias/root can be configured.
Additional forwarding is also possible with further UCR variables (e.g.: “mail/alias/systemmail”, “mail/alias/postmaster”).
Setting the Univention Configuration Registry variable:
univention-config-registry set mail/alias/root=<username>@<domainname>
Updating the Postfix alias database:
postalias /etc/aliases
Reloading the Postfix configuration:
postfix reload
127.0.0.1