How the City of Schwäbisch-Hall Ensures a Sustainable Open Source IT Infrastructure with the Introduction of UCS

When people think of Schwäbisch-Hall, they most likely think of the building
society of the same name or a picturesque old town (which is well worth a
visit, by the way). Maintaining the latter is just one of the many tasks of
the city administration. And the days of pencils and paper files are slowly
coming to an end here, too. Modern IT ensures that the more than 900 employees
can access their mails, appointments, contacts and files at any time and from
any place.

The townhall of Schwäbisch Hall (Foto Credits: Niko Kurth)

---

Dealing with the Past

Identities and access rights need to be managed for all employees and for all
systems used. The system used for this purpose worked very well for a long
time. Unfortunately, this system was maintained externally and there was no
in-house knowledge transfer in this regard. As a result, the IT department was
unable to build up its own knowledge for the maintenance and further
development of the system. However, open source (and the system in question
certainly falls into this category) is of little use if no one can or wants
to maintain the source code. Human resources in IT, especially in the public
sector in a rather small municipality, are very limited. Matters were
complicated further by the fact that various other programs had been added in
the meantime, which, for the reasons mentioned above, could not be managed at
all by the old system.

The Search

Identity management is not difficult; there are plenty of corresponding
systems. That is what we thought, and so we set out to find one. Schwäbisch
Hall is an open source municipality, which is why the desire for an equally
open IDM was evident. We did not want to make it a condition for the search,
the competition should give everyone a chance. Only the no-spy-clause of the
BMI had to be fulfilled.
It was somewhat surprising to see that Univention was the only manufacturer to
respond positively to the request. Actually, I was surprised by the fact that
all other IDM apparently have difficulties with this no-spy clause. And I was
even more surprised that there seem to be enough customers using such systems.

At any rate, the circumstances simplified the choice to the maximum. Looking
back, I have to admit that it was not without some pain in the stomach at
first: we would have liked to have more options at that time. But we did not
know how the migration would proceed. Now it was clear that the journey would
go in the direction of Univention Corporate Server from Univention. UCS is
open source, but its core component is a strong identity management system
that can be easily integrated with services via the company's own App Center
or interfaces, centrally administered and made available via a portal.

The Requirements

It was important for us to continue to manage user information such as group
memberships, password changes, user details, etc. in one central location. Our
previous self-developed administration system already replicated all changes
to the respective connected services. It was now our goal to make our system
future-proof and to organize the administration of the users with a
standardized procedure in a product that is continuously maintained and
supported by a manufacturer.

The Preparations

Strictly speaking, the migration began long before the actual migration: after
signing the contract, we had our first talks with the technicians from
Univention. We had a direct contact person who turned out to be immensely
competent and was thus able to quickly establish good rapport with our system
administrators. Everyone involved quickly realized that the technical basis of
our system was not so different from that of UCS. Based on this realization, a
migration plan was quickly drawn up.

The Notifier-Listener mechanism used in UCS would henceforth handle the
replications of user data to the individual services. Unlike in the past, the
central services such as LDAP, DNS, DHCP and the Samba-based Active Directory
Windows services were to be designed redundantly to ensure reliability. This
made sense because the UCS domain concept, which is based on a multi-server
approach, provides the technical basis for distributed and redundant services
right from the start.

One of the services we wanted to continue using was the OX App Suite. It was
previously running on a Dovecot server and was to be moved to UCS, also
because the Notifier/Listener-based user management, e.g. renaming or deleting
mailboxes, works with it. The existing OX App Suite was to be provisioned via
the UCS OX Connector. This makes it possible to use an OX App Suite that does
not run on a UCS system and to synchronize users and groups between the two
services.

A direct migration of all functions would have been very complex. Together
with Univention, we therefore decided to transfer the information about users,
groups and computers from the existing Samba AD to UCS using the UCS Active
Directory Takeover. It was actually designed to migrate a Windows-based
system, but was suitable for our requirements with minor adjustments. With the
takeover, all of the existing 500 client computers, in our case Linux clients,
work with the new system without any further changes. This was a prerequisite
for being able to complete the migration within the planned short timeframe.
Another positive side effect was that users would hardly notice the change,
and, once it was successfully completed, could simply log in with their
existing user names and passwords and continue to use all associated services.

To practice the migration in advance, a complete test installation was set up
in which both a digital twin of our current system and a UCS were installed.
We were thus able to run through the migration in advance together with
Univention. Once again, the now well-known advantages of virtualized
environments became apparent: not only could the test environment be set up
quickly, but it could also be easily copied or reset to an old state at any
time using snapshots and clones. For those of us who are younger, this may
sound like an everyday occurrence, but for those of you who, like me, remember
the days before virtualization, you will certainly understand my enthusiasm.

Through the various tests, we were able to clean up our data inventory (which
turned out to be the main source of errors during the test migrations) and
Univention prepared appropriate scripts to automate the actual migration as
much as possible later on. Previously, we had identified the data stored in
the old management system and decided what information was still needed and in
what form it should be migrated to the new system.

Here is an example: In our old system, there was a 2-factor authentication for
a login process where a login token was sent via SMS message. The mobile phone
numbers stored in the system for this purpose should remain available and
could be easily transferred to the new system using the UCS standard function
"extended Attributes".
In this way, proven individual services and the data required for them can be
transferred to the new standard system.

With these preparations and the experience gained from the test migrations, we
were able to derive a schedule for the actual migration: it would take us just
under two days. Since IT projects of a certain complexity always run
differently than planned, we added a buffer and scheduled the start for Friday
at noon. The users were informed well in advance and were regularly reminded -
during the migration no login to the system, i. e. virtually no work at all is
possible.

The Migration - Time Play

Until Saturday noon everything went according to plan. In the evening there
was supposed to be a big summer fair in Schwäbisch Hall. It looked like we
could celebrate the successful completion of the project there. But then the
first problems arose: we had simply overlooked some very special use cases.
This is where the fact that our IT team is very young (in terms of years of
service) paid off: at the time of the migration, everyone involved had been
with us for less than a year. However, the problem was much older, so no one
had noticed it (yet).

Fortunately, the Univention technician with whom we had planned everything in
advance was on site during the migration. We had insisted on this. Probably
everything could have been done remotely, but it was easier this way. In the
end, thanks to his expertise, we lost less than an hour before we found the
solution. We briefly considered a rollback (we had left this backdoor open as
long as possible), but with the solution in mind, we all agreed to move
forward. This was effectively the legendary point of no return: we would not
have had time to roll back.

Implementing the solution proved to be very time-consuming: due to a lack of
preparation, we were not able to automate the process, and had to make some
manual adjustments in dozens of places. By the evening, it was clear to
everyone involved that we were losing focus. So we decided (which might
surprise the reader) to go to the summer fair. A good decision, stress was
noticeably reduced. Of course, it was not a very long evening, but it did us
good and on Sunday morning we were all back on the floor, well rested and
motivated. Almost two hours later it was clear that we were going to make it.
Around noon everything was done and the afternoon was spent in a relaxed mood,
with testing the completed and writing down the open points (anyone who has
ever carried out a project of this magnitude knows that you never end up with
100 percent).

Classroom with modern presentation equipment

---

Case of Emergency

Even though we were sure we had done a good job, I think none of us really
slept well Sunday night. We all know the situation: we have tested everything
possible, but only the hard day-to-day business will show whether it really
worked. On Monday, everyone was in the office early. We wanted to be ready for
the early birds. Of course, there were a few hiccups, but all in all it was a
relaxed Monday. At least as far as the UCS is concerned, it was followed by
many more relaxed working days until today. So far, no one in our company has
regretted the decision to make this change.

If you are interested, you can find Mathias Waack's entire talk (in German)
at the Univention Summit 2023 on our YouTube
channel.

Der Beitrag How the City of Schwäbisch-Hall Ensures a Sustainable Open Source
IT Infrastructure with the Introduction of
UCS erschien zuerst auf
Univention.

link