Technology Blog

Meet Univention: Linux Alternative To Windows Domain Controller

0

Univention Corporate Server (UCS) is a Linux-based solution to manage your IT infrastructure. It is close in concept to a Windows Domain Controller or a NIS server. While all the building blocks (OpenLDAP, Kerberos, Samba and so on) are largely available and already deployed on countless networks, UCS aims at lowering the entry barrier for switching to a Linux-based network infrastructure.

Instead of tweaking configuration files and handling interoperability issues by yourself, UCS provides a Web-based interface to manage your domain, including computers, users, shares and many other entities.

Administration screen

We talk about UCS here because this is an open source solution based on Debian. You can checkout the sources from the SVN repository here. Not only Univention promotes the use of Linux server-side, but client-side too, since they provide very mature Ubuntu support including image rollout and remote administration.

Discovering Univention Corporate Server

The core functionality of an enterprise server is to manage users and groups, devices (computers, printers) and network (DHCP, DNS). UCS aims at being much more than that because of its pluggable architecture. Simply said, you can add “modules” or “apps” that will add extra services to your server.

UCS is designed to operate as well as in a Linux-only environment and in a heterogeneous Linux, MacOS X, and Windows environment through Samba and Active Directory support.

For Linux on the desktop, Univention provides customized Ubuntu images that can be remotely installed and maintained on the client via PXE. I didn’t test that, but apparently, you can build your own custom images, which is a must to tailor the users’ environment to their needs.

Modular design

As part of their solution, Univention UCS supports what they call “Apps” whose goal is to add services on top the core UCS infrastructure.

Some apps are provided and supported by Univention. Some other by third parties. Through apps, you can add to your UCS server support for common enterprise services such as email handling with Fetchmail and AV Mail or printing with CUPS as well as a couple of business-oriented CMS.

Other apps may be used to improve Windows integration (Integrate UCS in existing Active Directory or Office 365 single sign-on). Finally, task-oriented apps are available too, notably to support developer tools (JIRA, Jenkins) and VM or cloud users.

Some of the applications--or «Apps»--available for UCS

Surprisingly enough I didn’t find any Database-related app. As of today, you cannot manage MariaDB or MongoDB through UCS. But this will surely come as third party Apps.

Who is behind Univention?

Univention Gmbh is a Germany-based enterprise. Behind Univention, there is Peter Ganten who is as of 2017 the chairman of the Open Source Business Alliance— a German lobbying group promoting the open-source movement.

How much does that cost?

The Univention system is based on open-source software. And you can use the “Core Edition” free of charges. Business users will probably turn toward a yearly subscription through in order to have business-class support.

The subscription includes fixed yearly fees for the server and per-client license fees after the first 10 clients.

Pricing details are available on Univention website.

First experience with UCS

In order to have the first taste of UCS, I’ve set up a small virtual network made of one server and a couple of client hosts. UCS is only available for Intel/AMD 64-bit environment. And I used Qemu/KVM virtual machines on an Intel Core i7 host for that test.

My test UCS server was installed from the just released UCS-4.2 DVD ISO. For the clients, I used the Univention Corporate Client (UCC) module to roll out the Univention-customized Ubuntu image on them. Except for one client which was a newly installed genuine Debian Jessie system.

I reserved 2GB of RAM for the server and 1GB for each client.

My test machines

Server installation

The server installation went flawlessly and the process should be familiar to anyone already having installed Debian or a Debian-derivative in graphical mode.

While setting up the server, you can install a couple of modules (CUPS, Fetchmail, Sendmail, RADIUS, Squid, Nagios, … ) In addition, you can install the KDE desktop environment if you want to access the web-based administration interface from the server itself rather than remotely. I didn’t use that later option myself, as I intended to access the web interface using my standard browser running on the VM host. Given the limited resources of my test system, I performed a rather minimal UCS installation.

I must say the UCS server installation and usage was incredibly easy— once I fixed a couple of initial misunderstanding:

  • The administrative account is “Administrator” — not “root”
  • Despite its name, the Univention Corporate Client (UCC) is not the client software, but a server module used to manage clients.

Could you believe it, I had to contact the Univention support to understand that! I take that occasion to thank them all— as, while not being a paid user, the people at Univention were incredibly supportive and pointed me to the right direction.

Worth mentioning for core (aka, non-paying) users, there is a community support through a forum— but it was down when I started testing UCS. It was back online a few days later and has proven to be a great source of information from there— even if many threads are written in German.

UCC client installation

Once I finally understood what UCC was, installing the Ubuntu client machine was a formality. Through the UCS administration interfaces you “create” your computer by registering their name, MAC address, and subnet (for IP address assignation)–and choose the image to install on the next boot.

Image management setup for UCC clients

You then have to ensure your client will boot on PXE–et voila. At the next client startup, it will get a DHCP address and boot image from the server, and after confirmation, the configured disk image will be installed onto the client hard drive.

Few minutes after that you will have a working Ubuntu client, having joined the domain and you can log into that system using the credential for users created in the UCS administration console. No need to say you can install several clients at the same time.

Genuine Debian Jessie integration

Here, I must admit thing weren’t as flawlessly as before. And to be totally honest, I didn’t manage to join my Jessie system in the domain (https://help.univention.com/t/5425)

I think I was very close to do it, but I missed something and didn’t have enough time to pinpoint my exact mistake. What is certain is it can work. UCS is based on standard technologies well supported by any Linux flavor. I’ve probably made some configuration mistake or I didn’t read the right documentation.

Speaking of that despite its apparent simplicity, UCS remains a complex beast and you just cannot jump into that solution before reading some of the docs available on the Univention website. In addition, at least some basic understanding of the core administrative concepts is required. So, if you are looking for a no-thinking solution for your domain management, UCS is probably not for you.

But if you have some prior experience in domain administration, Univention Corporate Server is really an option to consider. In fact, while not knowing Univention a few weeks ago, as of today if I had some new domain to setup, I would seriously consider using UCS.

My opinion

I will not pretend the product is perfect. You’ve seen I had some issues. But I can say I’m rather seduced by what I saw. Because of its open source nature, because it is based on standard and interoperable technologies, because of the support and because of the great people behind that project. For me, those are really important considerations when investing in a solution.

Maybe it’s just a philosophic matter? Anyway, I hundred times prefer a software allowing me to investigate a bug, and to work with the team and community to solve my issues rather than an opaque process where I submit some “incident report” and then have to pay or cross my fingers for “someone” to dare consider my problem for the next “service pack”. It always feels to me like the difference between a long term vs short term collaboration. But let’s close that parenthesis for now.

To summarize, no doubt I will add UCS to my tool chest! But maybe you have some different opinion? Or some feedbacks? As always, don’t hesitate to use the comment section below to share your thoughts!

Source