Menu

UDM Blocklists: Take Control of User Properties in UCS Environments

Have you ever faced the challenge of ensuring certain user properties, like
usernames or email addresses, remain off-limits for future accounts after
deleting a user? The new blocklist feature in Univention Corporate Server
Version 5.0-6-erratum-974 is the solution. This article takes a closer
look at UDM blocklists.

A Quick Look at the Basics

Blocklists are an essential tool for administrators, enabling them to
proactively prevent the reuse of user or group properties. Imagine keeping
previously used values like email addresses or usernames locked for a set
duration. This function becomes a cornerstone in larger UCS environments,
where the cycle of creating and deleting accounts is a regular affair.

So, what exactly are user or group properties? We're talking about crucial
details such as the username ( username ), first and last names (
firstname, lastname ), the password ( password ), and, importantly, the
primary email address of a user account ( mailPrimaryAddress ), along with
the email address associated with a group ( mailAddress ).

You can place any of these properties on one or more blocklists to prevent
their reuse. Picture this scenario: in your organization, there’s an employee
named Anna Alster with the email a.alster@organisation.de. When Anna leaves
the company, her email address, along with her user account, is deleted. Fast
forward a few weeks, and a new colleague, Anita Alster, joins the team.
According to company policy, she's assigned the same email address:
a.alster@organisation.de. This could lead to an uncomfortable situation where
Anita might access Anna's "old" emails.

With the introduction of the new blocklists in the Univention Directory
Manager (UDM), you can avert such scenarios with ease. Administrators have
the power to specify in advance which properties are off-limits for reuse and
for how long. Once set, the system seamlessly handles the rest.

This article presents the new feature in detail, guiding you through the steps
to create, edit, and delete these blocklists. Whether you prefer the intuitive
Univention Management Console (UMC) or the command-line agility of the udm
tool, managing these lists is straightforward and efficient.

How to activate Blocklists and configure the Cron Job

To use the new blocklists, start by updating all UCS systems where you manage
UDM objects. It's crucial to have the latest UCS version, 5.0-6-erratum-974,
running on all your machines. Don't forget to install any available package
updates for each computer too. Conveniently, both these tasks can be
effortlessly completed through the Software Update module in the Univention
Management Console.

software-update

Next, edit the necessary UCR variable. Navigate to the System / Univention
Configuration Registry module and look for the
directory/manager/blocklist/enabled entry. Change this variable to true and
then save your changes.

edit-ucr

After activating the blocklists, the next step is to set a duration for each.
This duration determines how long each block remains effective. Once the
specified period expires, the system automatically clears the entries from the
blocklist. This removal process is managed by a script, triggered by a cron
job every morning at 8 a.m. If you need to adjust this timing, simply edit the
UCR variable directory/manager/blocklist/cleanup/cron and input the desired
time in crontab syntax in the Value field.

The next two sections will guide you through configuring the blocklists
yourself. We'll cover two methods—once via the Univention Management Console
and once on the command line.

Configuring Blocklists via UMC

To manage your blocklists, start by accessing the Domain / Blocklists
module. This is your hub for creating new blocklists, as well as editing or
deleting existing ones. To initiate a new list, simply click on Add. For
this new blocklist, you'll need to make some key entries:

  • Name: Choose an easily identifiable name for your blocklist. A descriptive, unique name is best, especially if you'll be managing multiple blocklists.
  • Retention time for objects in this blocklist: In this field, specify the length of time the block should remain in effect. This duration is critical; once it's surpassed, the blocklist will be automatically deleted. Use time units like y (years), m (months), and d (days) to define this period. For example, entering 2y3m1d sets the blocklist to stay active for 2 years, 3 months, and 1 day.
  • In the Properties to block section, your task is to specify which properties need to be locked from reuse. This is where you identify the UDM modules and their corresponding properties. For instance, if you aim to block the reuse of primary email addresses for user accounts, simply enter users/user in the UDM module field and mailPrimaryAddress as the property.
  • If you need to block additional properties, simply click the plus sign located just below the input fields. This allows you to add more modules and their respective properties to the same blocklist. For example, to block an email address used by a group, add groups/group as the module and mailAddress as the property.

blocklist-settings

Once you’ve configured the blocklist to your needs, click Save to finalize
your changes. Remember, the Domain / Blocklists module in UMC isn’t just for
creating new lists. You can return to this module anytime to make adjustments
or delete existing blocklists.

Configuring Blocklists via Command Line

For those who prefer working outside the web interface, the Univention
Directory Manager (UDM) offers a powerful command-line alternative to manage
blocklists. Known as univention-directory-manager , or simply udm , this
tool requires root privileges for operation. One of the key advantages here is
that both UMC modules and UDM provide access to the same domain administration
modules. This means you get the same functionality through the command line as
you would in the web interface. To explore the range of capabilities and
options available, just type udm -help. This command brings up a
comprehensive list of all supported parameters and options.

udm-help

When managing blocklists via the command line, use the command udm
blocklists/list along with its subcommands to efficiently handle different
tasks. These subcommands include:

  • create: Creates a new blocklist.
  • modify: Make changes to an existing blocklist.
  • remove: Delete a blocklist.
  • list: View all the blocklists that currently exist.

To create a new blocklist that excludes a username from reuse for one year,
you'll need to define several parameters in your udm blocklists/list
command. Start with a name for the list using - set name=, followed by the
time period for the block with _ -set retentionTime=, and then specify the
UDM module and property with - append blockingProperties=_. Enclose any
expressions with spaces and special characters in double quotation marks.
Thus, the complete udm command to achieve this would look as follows:

udm blocklists/list create -set name=Benutzername -set retentionTime=1y
-append blockingProperties="users/user username

When you list the existing blocklists, you’ll see not only this newly created
list but also all entries that have been made through the Univention
Management Console.

bockliste-list

To delete a blocklist on the command line, use the remove command, the -
filter name= parameter, and enter the list's name:

root@ucs-7559:~# udm blocklists/list remove -filter name=Benutzername

Keep in mind, if the list name contains special characters or spaces, it’s
important to enclose it in double quotation marks.

Test Run: User Name Reuse Strictly Prohibited!

If you attempt to assign a user property that's currently on a blocklist, the
system will promptly notify you. The image below illustrates this: it shows an
attempt to create an account with the name hej. However, this action is
prevented by an existing blocklist that restricts the use of already assigned
usernames for one year:

[![benutzername-blockliste](https://www.univention.de/wp-

content/uploads/2024/04/benutzername-
blockliste-1.png)](https://www.univention.de/wp-
content/uploads/2024/04/benutzername-blockliste-1.png)

Effortless and Intelligent Administration Made Easy

The new UDM blocklists are an invaluable asset for user administration. They
equip administrators with a robust tool to effectively manage the reuse of
sensitive user properties, including email addresses and usernames. This
feature plays a crucial role in minimizing potential mix-ups and enhancing
security.

Got questions or feedback about the new blocklists? Dive into our manual for a
detailed guide on using blocklists in the chapter titled Prevent reuse of
user property values. For insights into the command line tool udm,
refer to the Command line interface of domain management (Univention
Directory Manager) chapter.

Image source: Icon created
byOctopocto from
flaticon.com

Der Beitrag UDM Blocklists: Take Control of User Properties in UCS
Environments erschien zuerst auf
Univention.

link

Posted by SourceForge Robot 2024-04-15

Log in to post a comment.