If you support technology that depends on CalNet tools, this is the best place to look to understand if something in the CalNet technology stack has changed and how it could be affecting your services. You can also sign up to receive notices when CalNet has a new release. To subscribe to the list, go to: https://groups.google.com/a/lists.berkeley.edu/d/forum/calnet-releases and click JOIN.
Recent Releases
April 15, 2024, 7:00 pm
CDU is the new "CalNet Directory Update" application that replaced the legacy directory update application. The purpose of this release was to roll out an enhanced CDU UI based on feedback from Usability team. CMR: CHG0037866
Services Affected:
- CDU
April 6, 2024, 9:00 am
As part of this release, we upgraded the CalNet LDAP infrastructure to DS 7.4. No impact to applications or customers was expected as we performed a rolling upgrade. CMR: CHG0037744
Services Affected:
- LDAP
April 2, 2024, 5:00 pm
In this release, the new CDU search API had a bug that needed to be patched. CMR: CHG0037803
Services Affected:
- CDU
March 28, 2024, 8:00 am
In this release, CDU was the new "CalNet Directory Update" application that replaced the legacy directory update application. CMR: CHG0037773
Services Affected:
- LDAP
- CalNet Directory Update
March 27, 2024, 3:30 pm
This release included deploying changes to BIDMS to support the new CDU launch. CMR: CHG0037772
Services Affected:
- CDU
March 27, 2024, 3:00 pm
In this release, we added a maintenance page to the legacy CalNet Directory Update (CDU) tool on the afternoon of March 27th in preparation for migrating this functionality on March 28th. On March 28th we changed this to redirect traffic to CalNet Account Manager (CAM) which is taking over this functionality. CMR: CHG0037756
Services Affected:
- LDAP
- CalNet Directory Update tool
- CAM
March 27, 2024, 6:00 am
The purpose of this release was to patch Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037776
Services Affected:
- LDAP
- Zabbix
- Duo
March 13, 2024, 7:00 am
To consolidate multiple access control instructions in LDAP in preparation for the new CalNet Directory Update tool launch, we streamlined access rules for berkeleyEduOfficialEmail, mail, and berkeleyEduAlternateID. CMR: CHG0037685
Services Affected:
- CalNet Directory
- LDAP
March 11, 2024, 9:00 am
This release included turning on UCPath messaging for UCPath release. CMR: CHG0037665
Services Affected:
- UCPath
March 8, 2024, 11:00 am
This release included turning off UCPath messaging for UCPath release. CMR: CHG0037623
Services Affected:
- UCPath
March 8, 2024, 8:00 am
The purpose of this release was to reconfigure our API gateway to allow error pass-through rather than intercepting them to reformat the errors. There was no outage, as this is a rolling NGINX reload to pick up new settings. CMR: CHG0037697
Services Affected:
March 1, 2024, 7:00 am
In this release, we added CalNet ID (berkeleyEduKerberosPrincipalString) in the set of attributes already released by the *.berkeley.edu CAS registration. CMR: CHG0037615
Services Affected:
- LDAP
- CAS
February 29, 2024, 6:00 pm
As part of this release, we removed indexes and schema attributes related to directory changes implemented during the preferred / lived name rollout. The following attributes were removed from the LDAP schema as they are either no longer in use or were replaced by other attributes:
berkeleyEduNameSalutation (1.3.6.1.4.1.4995.2.200.10.1.1.23)
berkeleyEduNameHonorifics (1.3.6.1.4.1.4995.2.200.10.1.1.24)
berkeleyEduNameGenerational (1.3.6.1.4.1.4995.2.200.10.1.1.25)
berkeleyEduFirstName (1.3.6.1.4.1.4995.2.200.10.1.1.27)
berkeleyEduLastName (1.3.6.1.4.1.4995.2.200.10.1.1.28)
CMR: CHG0037604
Services Affected:
- LDAP
February 28, 2024, 7:00 am
This release included an upgrade to CAS on the production auth.berkeley.edu cluster to 6.6.15 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037605
Services Affected:
- LDAP
- CAS
February 22, 2024, 6:00 pm
For this release, we disabled change log indexing for our LDAP deployment. CMR: CHG0037601
Services Affected:
- LDAP
February 15, 2024, 8:00 am
This release featured the patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037590
Services Affected:
- Zabbix
- Duo
- LDAP
January 27, 2024, 8:00 am
The purpose of this release was to migrate our production LDAP infrastructure to a new security model. This involved deploying new cryptographic keys and configuring all back-end services (administration, replication) to use a new dedicated private CA model for internal operations. As part of this we also applied updates to core schema files. There were multiple restarts of each node in the cluster during the process. Services are load balanced, but due to the number of restarts required, and application pooling, some applications may experience transient outages during this process. CMR: CHG0037507
Services Affected:
- LDAP
January 26, 2024, 8:00 am
In this release, we upgraded the CalGroups test environment from 2.4 to 4.8.x. This has been done in the dev environment, and was repeated in the test environment. CMR: CHG0037518
Services Affected:
- CalGroups
- LDAP
January 25, 2024, 4:00 pm
To enable student account claim access codes from SIS, this release featured changes to a configuration flag and a restart of the CalNet Account Manager application. This did not affect Single-Sign-On. CMR: CHG0037508
Services Affected:
- CAM
- LDAP
January 24, 2024, 7:00 am
This release included the following: We removed the ds-rlim-lookthrough-limit attribute from all LDAP service accounts (binds). The attribute was deprecated. For service accounts that currently have larger query result size limits configured, we set the value on the ds-rlim-size-limit attribute which replaces the deprecated attribute. CMR: CHG0037448
Services Affected:
- LDAP
January 21, 2024, 7:00 am
In this release, we replaced the TLS certificate used by the general CalNet LDAP cluster (ldap.berkeley.edu). No interruption was expected, we did rolling restarts of the backend LDAP servers. Customers should have been aware that the intermediate / signing certificate is changing to the "InCommon RSA Server CA 2" cert. See https://berkeley.service-now.com/kb?sys_kb_id=2372590fdbfe65d0066e252b13.... CMR: CHG0037443
Services Affected:
- LDAP
December 22, 2023, 6:30 am
As part of this release, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6.14 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037417
Services Affected:
- CAS
- LDAP
December 19, 2023, 4:00 pm
This release included the following:
- New enhancement to keep reconciliation and match history in database.
- Modified the CalNet Directory Update application to remove ability to enter a name. This functionality has been moved to other places due to GRLN project.
- At time of deployment, we cleared out the legacy LDAP berkeleyEdu name values that came from the CalNet Directory Update application. These berkeleyEdu name LDAP attributes have been deprecated and are replaced by GRLN lived names. Moving forward, the appropriate name attributes for lived names are 'givenName', 'sn' and 'displayName' (standard LDAP attributes). We will utilize berkeleyEduMiddleName for lived middle names.
- After deployment (while application is back up), we updated LDAP berkeleyEduMiddleName values to contain lived middle names from UCPath and Campus Solutions.
CMR: CHG0037393
Services Affected:
- LDAP
November 30, 2023, 9:00 am
For this release, we implemented a new process for synchronizing the LDAP org units OU (ou=org units,dc=berkeley,dc=edu). This change should have been transparent to most consumers, but during the re-write we discovered that the existing process is violating our LDAP schema for the attributeberkeleyEduOrgUnitProcessUnitFlag. As part of this change, the berkeleyEduOrgUnit attribute berkeleyEduOrgUnitProcessUnitFlag no longer contains the value 1. Instead it is set to a boolean value of TRUE.
We reached out directly to the customers who may have been impacted by the change.
CMR: CHG0037354
Services Affected:
- LDAP
November 29, 2023, 7:00 am
This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037360
Services Affected:
- Zabbix
- Duo
- LDAP
November 17, 2023, 8:00 am
As part of this release, we implemented a new process for synchronizing the LDAP org units OU (ou=org units,dc=berkeley,dc=edu). This change should have been transparent to most consumers, but during the re-write we discovered that the existing process is violating our LDAP schema for the attributeberkeleyEduOrgUnitProcessUnitFlag. As part of this change, the berkeleyEduOrgUnit attribute berkeleyEduOrgUnitProcessUnitFlag no longer contains the value 1. Instead it is set to a boolean value of TRUE.
We reached out directly to the customers who may be impacted by the change.
CMR: CHG0037322
Services Affected:
- LDAP
November 15, 2023, 7:00 am
This release was to re-implement CHG0035218. Our most recent major upgrade of CAS included a different reverse proxy and we did not include the configuration described below as part of the upgrade.
We were seeing a high number of requests from a handful of misconfigured MacOS and iOS devices. These devices appeared to be configured using the Exchange mail and address book sync pointed at bMail (as opposed to using the appropriate Google sync). This was causing the clients to flood our CAS servers with invalid requests. We configured our proxies to return HTTP 400 (bad request) to these clients and prevent the traffic from reaching the CAS application.
CMR: CHG0037295
Services Affected:
- CAS
- LDAP
November 9, 2023, 7:00 pm
This release included the following:
CNR-2373: Augment web service for CDU
CNR-2369: Disregard bad messages on LdapSyncQueue
SGS: Fix triggering of bulk rematch and bulk reprovisioning from LdapSync job
Fix for sending newUid jms message
CAT: Upgrade Duo SDK library
CNR-2360: CAM: New Duo flow
CMR: CHG0037287
Services Affected:
- Duo
- LDAP
November 3, 2023, 7:00 am
In this release, we patched Shib on the production shib.berkeley.edu cluster to the 4.3.1_20231012 tag to upgrade the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037237
Services Affected:
- Shib
- LDAP
October 17, 2023, 7:00 pm
As part of this update, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6.12 to apply security patches to CAS and the embedded Tomcat container. The work was done in a rolling manner to avoid an outage. CMR: CHG0037190
Services Affected:
- CAS
- LDAP
October 13, 2023, 7:00 am
This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition, we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037186
Services Affected:
- Zabbix
- Duo
- LDAP
October 8, 2023, 2:00 pm
For this release, the SIS group deployed their GRLN changes on October 8 and CalNet deployed BIDMS changes to support their launch. Changes were for writing SIS lived names to LDAP. CMR: CHG0037153
Services Affected:
- LDAP
October 8, 2023, 7:00 am
This release was related to change CHG0037153 and the SIS GRLN launch. We configured the CalNet Directory Update tool to direct students to SIS for preferred/lived name changes. This should not have impacted homecoming activities as it did not affect the CalNet systems that perform authentication and authorization to campus systems. CMR: CHG0037157
Services Affected:
- LDAP
September 27, 2023, 7:00 am
As part of this release, Duo deprecated the existing device management integrations that are used as part of new user on-boarding and self-service device management via the CalNet Account Manager (CAM). We changed both the CalNet claim process and post-claim processes for managing Duo devices. For existing users we enabled Duo's new Duo Central for device management. This required that we configure Duo SSO, Duo Central, and integrate them with our existing SAML federation. There is no expected impact to current Duo 2-step functionality as this is a separate feature. This change is to enable these features so that our developers can work on the changes to CAM. Future change requests and communications will address user impact and process changes. CMR: CHG0037120
Services Affected:
- Duo
- CAM
- LDAP
September 21, 2023, 7:00 pm
In this release, there were changes to GitHub Actions Configuration for SPA Admin App. CMR: CHG0037096
Services Affected:
- SPA Admin App
- LDAP
September 8, 2023, 7:00 am
This release featured patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0037055
Services Affected:
- Zabbix
- Duo
- LDAP
September 7, 2023, 7:00 pm
This release was an upgrade of the CalNet identity management suite that included an infrastructure change to switch to containerization of the Tomcat application server. A Tomcat upgrade was necessary to support the Spring Boot 3 upgrade, also part of this upgrade. There was a 2 hour outage associated with this release.
Release Notes:
Upgrade to Spring Boot 3
Containerization of the services Tomcat app server and upgrade to Tomcat 10 for Spring Boot 3
Support SIS Campus Solutions student claim access codes (will not be enabled until later date)
CNR-2292,CNR-2042: Remove references to affiliates OU that was removed from LDAP some time ago
CNR-2315: Give SUPPORT role ability to see the lock info on the CAT show person page
CNR-2314: Add raw SORObject view (aka 'grey arrows') back for people in the 'View' group in CAT
CNR-2320,CNR-2329: CAT lock emails going out when email button not selected
CNR-2326: Add Ucpath I-280 BUSN telephone numbers to BPR telephone table
CNR-2317: PostgreSQL 14 in development environment
CNR-2336: A nightly job to clean up the various expired token rows in BPR tables
CNR-2319: Improve error message when guest-type-potential-hire tries to claim an account
CNR-2338: CAM ClaimService isEligibleToClaimAccount needs additional checks
CNR-2344: Improve part of ucpath ddods query for efficiency
CNR-2298: Use GitHub Actions
CMR: CHG0037017
Services Affected:
- CAT
- UCPath
- CAM
- LDAP
September 3, 2023, 9:00 am
As a part of this release, we upgraded CAS on the production auth.berkeley.edu cluster to 6.6. This upgrade involved moving to a new cluster running RHEL9 and many architectural changes and underlying library upgrades. An outage was not anticipated; however, because the underlying service ticket registry cluster version was being upgraded clients who authenticate the morning of this change lost their SSO session and were required to re-auth when accessing any SSO applications after the upgrade. CMR: CHG0037004
Services Affected:
- CAS
- LDAP
July 13, 2023, 5:00 pm
For this release, we patched Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036887
Services Affected:
- Zabbix
- Duo
- LDAP
June 21, 2023, 7:30 pm
For this release, as a last step to complete CalNet's portion of the UCPath GRLN deployment, we reenabled a regularly scheduled job that requests update messages for employees. (Otherwise known as the I-371 job.) This job was disabled as part of CHG0036664 on June 16th. This CHG reenabled it after GRLN go-live. CMR: CHG0036666
Services Affected:
- UCPath
- CalNet
- LDAP
June 20, 2023, 6:00 am
For this release, UCPath launched their GRLN (Lived Name) changes and CalNet needed to deploy changes as part of the project:
#1) Turned back on UCPath data processing that was previously turned off for the UCPath GRLN downtime window that began on June 16th.
#2) Deployed code changes to adapt to the new way that UCPath would be storing lived names in the DDODS database.
#3) Deployed code changes to change how names are set in LDAP and Active Directory to align with lived names that are now stored in UCPath for active employees and UCPath affiliates. These UCPath lived names were to replace the preferred names that employees and UCPath affiliates had previously set in the Directory Update application. It was expected many names in LDAP would change due to this change.
#4) Deployed a change to the Directory Update Application hosted at directory.berkeley.edu that disallowed active employees to change their preferred name in the application and provided a link to UCPath where their name could be changed within UCPath.
CMR: CHG0036665
Services Affected:
- UCPath
- CalNet
- LDAP
- Active Directory
June 16, 2023, 3:00 pm
As part of this release, UCPath was down starting June 16th at 3pm for the GRLN rollout. At approximately the same time all UCPath data processing was shut off for the CalNet identity management system. This required an application restart. CMR: CHG0036664
Services Affected:
- UCPath
- CalNet
- LDAP
June 16, 2023, 6:00 am
As part of this release, UCPath launched their GRLN (Lived Name) changes. With this update, CalNet no longer allows the generation of preferred (display) names using the Directory Update application (directory.berkeley.edu) for anyone with a staff affiliation. CMR: CHG0036667
Services Affected:
- UCPath
- CalNet Directory
- LDAP
June 7, 2023, 7:00 pm
This release included the following:
CNR-2265 CAT, limit displayed names to preferred (lived) names unless they have specific roles to grant access to other names that may include legal names
CNR-2118 Upgrade from h2db 1.4 to 2.1
CNR-2261 ucb-bidms should use same CalnetIdRules as CAM
CNR-2167 Convert calnet-ui from using Bower to using NPM
CNR-2264 Where possible, upgrade JavaScript dependencies in calnet-ui
CNR-2122 SGS Camel xmljson functionality has been deprecated and needs to be replaced with something else
CNR-2279 Create a REST service for changing uid on namespace entries
CNR-2280 There is a CS M02-related regression bug preventing admit role being asserted in some edge cases
CNR-1955 Reassign namespace entries when merging
CNR-2288 Upgrade CAT, CAM to latest Grails version
CNR-2284 Upgrade bidms dependencies, including Spring Boot
CNR-2121 Upgrade to Camel 3 for SGS
CMR: CHG0036676
Services Affected:
- CAT
- CAM
- LDAP
June 7, 2023, 7:00 pm
There were two parts to this release:
1. We *stopped* sending the samAccountName from Active Directory back to CAS as the asserted principal user ID. Instead, CAS now uses the user-supplied account name for attribute lookups after authentication is successful.
2. We configured CAS to check both the sAMAccountName and the alias section of the userPrincipalName during authentication (i.e. alias@BERKELEY.EDU(link sends e-mail)).
CMR: CHG0036702
Services Affected:
- CAS
- LDAP
June 1, 2023, 5:00 pm
This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036705
Services Affected:
- CAS
- Grouper
- LDAP
- Shibboleth
April 20, 2023, 5:00 pm
This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036590
Services Affected:
- CAS
- Grouper
- LDAP
- Shibboleth
April 19, 2023, 5:00 pm
This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036589
Services Affected:
- CAS
- Grouper
- LDAP
- Shibboleth
March 28, 2023, 7:00 pm
As part of this release we removed the displayed userName from the default login and logout CAS pages. While these pages only allowed an authenticated user to see their own userName (e.g. CalNet ID), they also allowed accounts authenticated via trusted third-party sites to see their userName. This could have been undesirable in some cases. CMR: CHG0036528
Services Affected:
- CAS
March 23, 2023, 7:00 pm
This release involved patching of Red Hat Enterprise Linux servers to address errata published by Red Hat. This included bug fix, security, and enhancement updates to packages maintained in official Red Hat repositories. In addition we applied patches as needed from custom repositories for Zabbix and Duo. CMR: CHG0036457
Services Affected:
- CAS
- Grouper
- LDAP
- Shibboleth
March 16, 2023, 7:00 pm
This release upgraded our SAML IdP from 4.2.1 to 4.3.0 to address minor security vulnerabilities and ensure we are on the latest version. No outage was expected. CMR: CHG0036456
Services Affected:
- Shibboleth
March 15, 2023, 7:00 am
This release moved the current CalNet Directory Update application to a new host to help decommission the existing host. This involved a temporary redirect of the current http://directory.berkeley.edu(link is external) "Update your listing" link to the new URL. We requested that Public Affairs update that link at their leisure once we were confident the new host was working as expected with the temporary redirect. CMR: CHG0036451
Services Affected:
- CalNet Directory Update Application
March 12, 2023, 7:00 am
This release included changes to the underlying algorithm for storing hashed passwords for LDAP service accounts in ldap.berkeley.edu. CMR: CHG0036431
Services Affected:
- LDAP
March 2, 2023, 7:00 pm
This release included a configuration and restart for the new Cirrus API key. There was a brief outage associated with this release. CMR: CHG0036421
Services Affected:
- Cirrus
February 9, 2023, 1:00 pm
This release involved an enhancement/bug fix release for the CalNet BIDMS application suite. CMR: CHG0036376
CNR-2232: Improve the access denied error message for SPAs
CNR-2242: Fix AD error when locking expired people
CNR-2243: Remove unneeded reconciliation page cache
CNR-2250: Add clarifying log entries about AD passphrases when locking accounts
CNR-2251: Expand list of reserved CalNetIDs to align with bConnected
CNR-2252: Fix recognition of certain AD errors in setting passphrase
CNR-2253: (Test environment) Fix GreenMail plugin
CNR-2255: Fix displaying error message when invalid identifier type is selected on passphrase reset page
CNR-2256: Cirrus is requesting new credentials for their API endpoint
Services Affected:
- Special Purpose Accounts
- Active Directory (AD)
January 29, 2023, 7:00 am
This release performed maintenance recommended by our vendor to address some lingering error messages in our logs. The process was to reset the 'generation ID' of our replication domain to ensure any stale entries were not replicated. CMR: CHG0036342
Services Affected:
- LDAP
January 23, 2023, 5:00 pm
This release applied a required certificate update on the Apache ActiveMQ server used by CalGroups and the Berkeley Person Registry. CMR: CHG0036289
Services Affected:
- CalGroups
- Berkeley Person Registry
January 10, 2023, 5:00 pm
This release involved cadds enhancements to the BIDMS lock API that is needed for locking accounts in large batches. CMR: CHG0036286
Services Affected:
- CalNet Admin Tool (CAT)
- LDAP
- CalGroups API