Release Notes - Version 5.0¶

This is the first release for CentOS 9. Version 5 for all server products, including: TeamDrive Registration Server, TeamDrive Host Server and TeamDrive Web Portal is required for CentOS 9.

5.0.2 (2025-09-09)¶

This release includes a number of security improvements, including certain hardening measures, please contact TeamDrive for further details.

Added FORWARD_INVITATION_TIMEOUT Provider setting (REGSERVER-1909). This setting specifies the time (in minutes) that a forwarded Space invitation is retained, after the user that is to receive the invitation has registered. This ensures that a user will receive the invitation after registration, even after the first installation is unsuccessful for some reason (see FORWARD_INVITATION_TIMEOUT for details).
During setup, the TDNS Domain will no be set to the default: tdns.teamdrive.net (REGSERVER-1912).
A list of “outgoing” IP addresses can now be specified for a Registration Server (REGSERVER-1906). NOTE: This feature requires TDNS version 2.6.2.

The IP address list is used to verify the identity of calls coming from the Registration Server. Inter- Registration Server calls will now fail authentication if the IP list is set for a Registration Server and a call from that server does not include the IP address used by the server to make outgoing calls (REGSERVER-1834).

If the outgoing IP list of the server is not set then a warning is issued if the outgoing IP address does not match the IP address of th Registration Server domain.
Fixed forwarding of “store-forward” invitations, when the user registers on a Registration Server different the server belonging to the inviting (REGSERVER-1914).
Fixed the “getspacedata” API call, the nested <teamdrive>...</teamdrive> tag embedded in the reply has been removed (REGSERVER-1915).
Fixed loading error when both Master Registration Server is disabled, and communication with all other Registration Servers is disabled (REGSERVER-1918).
Secure TLS connections are now supported by LDAP External Athentication (REGSERVER-1919). In the ldap_config.php file set $ldap_use_tls = true;. For example, after $ldap_server_port is set:
```
...
$ldap_server_domain = "localhost";
$ldap_server_port = "389";
$ldap_use_tls = true;
...
```
Fixed session based implementation of LDAP External Authentication service (REGSERVER-1922). The TeamDrive client was displaying the message “Login Failed”, even after a successful login.
Due to an incorrect database configuration the error “License exceeded permitted usage”, when creating a user could lead to the user being created without a license and without a TDNS entry (REGSERVER-1901).
Changes to the list of languages, i.e. *_ALLOWED_LANG Provider settings (REGSERVER-1933):
- When creating a Provider the default language specified will automatically be converted to lower-case, and the country specifier will be removed, for example: “en-us” –> “en”.
- When creating a Provider, the *_ALLOWED_LANG setting will be set to “en, de, <default-lang>”, where <default-lang> is the default language specified (unless default is “en” or “de”).
  
  Note that the Regisration Server does not check if templates exist for the default language specified when creating a new Provider.
- On upgrade to version 5.0.2, “en” and “de” will be added to the *_ALLOWED_LANG settings for all Providers.
LDAP External Authentication: the value v2,v1 for the configuration setting $prev_user_secret_ver is deprecated. Use v1->v2 in place of v2,v1.

Note, if v2,v1 (v1->v2) has been used for quite a while (several years) then it may be possible to “upgrade” to $prev_user_secret_ver = "v2". This will enable User Secret v3 generation, while still upgrading from User Secret v2. Space keys encrypted wth the Version 1 User Secret will no longer be accessable, however, the upgrade to version 2 should have largely taken place after the last few years.
Added Provider setting ALLOW_SPACE_NAME_STORAGE, which determines whether the option to store Space names on the Host Server is available (REGSERVER-1932). See ALLOW_SPACE_NAME_STORAGE for details.
Renamed setting StoreRegistrationDeviceIPinSeconds to IPAddressStoreTime (REGSERVER-1935). The default value is 7 days. On upgrade to version 5.0.2, this value will be set to 7 days, if the setting is higher than 7 days.

The auto-task “Delete Client IPs” has been renamed to “Remove IP Addresses”, and will now delete IP addresses stored by the Registration Server, in general.

Admin Console¶

Improved the loading time of the Edit User page in the Admin Console, and fixed other slow queries (REGSERVER-1913).
Admin Console: Account managers are no longer allowed to remove Licenses or Depots from their accounts (REGSERVER-1908). Provider level privileges are now required to remove these objects.
Admin Console: the User Edit page now includes a change history of the user (REGSERVER-1890). Details tracked include:
- the user’s email address (REGSERVER-1905),
- enabling and disabling the user,
- forced relogin and password reset,
- enabling and disabling 2-Factor and external authentication,
- enabling and disabling the Key Repository and Super PIN, and
- other details such as Provider, department and language.
Fixed the Edit HTML template tab in the Admin Console and added [[YEAR]] variable to the “ref-file” HTML template (REGSERVER-1921).
Admin Console login, with 2FA enabled (LOGIN_TWO_FACTOR_AUTH set to True), was not working for login as a regular user (login as Provider was working) (REGSERVER-1923).
Admin Console, changes to “Provider Settings” page:
- Added a “Comment” field to the Provider record (REGSERVER-1842). This field may be used to describe the use or purpose of the Provider.
- Consolidate the “Address”, “PostalCode”, “City” and “Country” fields into one multi-text field.
- User with PROVIDER-READER privilege can now view the “Provider Settings” page.
User, Depot or License references incorrectly set to “NULL” are now displayed and saved as an empty reference (REGSERVER-1926).
All entries of the Admin Console event log (TD2EventLog) were not being cleaned up correctly after session timeout (REGSERVER-1936).
Admin Console: the Super PIN and Local encryption controls at the user level will now be disabled, depending whether the Super PIN or Local encryption is required at the Account level (REGSERVER-1940).

For example, previously it was possible to disable the Super PIN at the user level, even when the Super PIN as enabled at the Account level. This would lead to the Super PIN being disabled, and then immediately reenabled.
Admin Console, User Edit page: the “Accounts” field now displays a dialog containing a list of “Managed Accounts” if the total number of accounts of the user exceeds 4 accounts (REGSERVER-1941). In addition, the accounts are ordered by Account number.
Setting “Holder Email” on the Edit License page was not working (REGSERVER-1944), this has been fixed.
Added a change history to Accounts (REGSERVER-1939). The “Change History” button in the “Super PIN” details has been removed, and the changes are now listed with all other account changes at the end of the “Edit Account” page.

Email Processing¶

Added FailedEmailTimeout setting (REGSERVER-1936). Emails that have failed, bounced or been blacklisted will be removed from the Email log after the time specifed by this setting. The default is 180 days.
If an email is set to “Soft-bounced” then the Registration Server will pause sending emails for 25 hours (REGSERVER-1902). After that the next pending email will be sent (emails already marked as Bounced will not be retried). If successful the Soft-bounced status will be removed.
Fixed various problems with email hooks, see settings EmailHookIPList and EmailHookURL (REGSERVER-1920). The processing of calls to the email hooks from the external Email Service, and forwarding of hook calls to other Registration Servers was not working correctly.
Fixed the missing code in the URL of the email sent to confirm a request for user account deletion (REGSERVER-1929).
Sending emails to a user can be suspended for 2 reasons:
- The “Bounced” status has been set for the user’s email address, and
- there are “Email Service Errors” referencing the user’s email address.
In both cases the Admin Consone will now indicate an Email status error and allow a “Confirmation Email” to be sent to the user (REGSERVER-1943). Previously this was only done in the case that the “Bounced’ status was set.

5.0.1 (2025-02-11)¶

An expiry date may not be set on a default license. The Admin Console now enforces this restriction (REGSERVER-1883). If a license is expired you can no longer change the features or status of a license.

Although this should never be the case, if an expired license is in use then the license features are automatically set to the default license features specified by DEFAULT_FREE_FEATURE or DEFAULT_ACCOUNT_FEATURE (if the user is a member of an account).

Note that an expired license should never be in use because the license of a user is changed to the user’s default license when a license expires. This is done by the “Expire Licenses” auto-task.
When deleting a user a new checkbox allows you to specify whether to send an email notification to the user (REGSERVER-1886). Previously this was determined automatically by the ADMIN_CONSOLE_SEND_EMAIL setting.

By default the checkbox will be unchecked if the user was last active over 1 year ago. If more recently active the default for the checkbox is determined by the value of ADMIN_CONSOLE_SEND_EMAIL.
Admin Console: the “More Info” buttons have been removed from the user and licenses lists. All information is now available from the corresponding “Edit” page.
The “Username” field in support emails was incorrectly set to the support email address when the user has no username (REGSERVER-1877).
The Key Repository display in the Admin Console now shows the modification time instead of the creation time of the RSA key (REGSERVER-1891?). Note that the modification time is that of the private keys associated with the RSA public key. Public keys are never changed.
Added API functions “getspacedata” and “deletespace” (REGSERVER-1893). See documentation: getspacedata and deletespace.
Fixed “permission to set domain denied” when enabling a domain on the Master Registration Server (REGSERVER-1898).
The Admin Console will now display critical information regarding Depot storage limit overflow (HOSTSERVER-953). This includes information as to the “frozen” state of a Depot which occurs when storage limit is exceeded by a certain amount.

External Authentication¶

Improvement to security of session based external authentication (REGSERVER-1900). An “encrypted session ID” is now used to initiate the authentication session. This ensures that no useable data appears in the Apache access log of the External Authentication Service.
Multi-language support: TeamDrive External authentication Services now support both English and German (REGSERVER-1903).
Fixed a problem when entering a Space marked “2FA required” on the Web Portal, when 2-Factor authentication is performed by the External Authentiation Service (REGSERVER-1887). This fix also requires a client update.

Licenses and Devices¶

The setting InviteOldDevicesPeriodActive has been renamed to DeviceInactiveTimeout to indicate the fact that devices that have not been used for the specified period are considered generally “inactive” or not in use. Inactive devices do not receive invitations and the user will not be notified (by email) if an inactive device is disabled (or neabled) due to the device limit of a license.
Implemented a “soft limit” option for the device limit specified by the MAXIMUM_DEVICES_PER_USER Provider setting (REGSERVER-1895). The soft limit is indicated by prefixing the value with a ‘~’ character, for example: “~5” means a soft limit of 5 devices per user. Soft limit in this case means that the limit is only enforced if a user does not already exceed the specified limit (see MAXIMUM_DEVICES_PER_USER for details).
It is now possible to create “device based” licenses (REGSERVER-1894). These licenses may only be used by one user and limit the number of active devices of the user.

If the number of devices exceeds the limit, access devices are disabled automatically starting with the devices the have been idle for the longest time.

Shop References¶

Licenses, depots, users and accounts now have a “shopreference” which is used instead of the standard external reference, if the license or depot is referenced by an external Shop system (REGSERVER-1881).

For licenses, in addition to “contractnumber” the fields “constractstatus” and “contractenddate”, may also be set using the API. These fields, including the “shopreference” may be set when a license is created (“createlicense” API call) or using the “setlicensecontract” API call.

The depot “shopreference” may be set using the “createdepot” and “updatedepot” API calls.
The setting API_ADMINCONSOLE_LIC_REF has been renamed to ADMIN_LICENSE_REFERENCE.
In the Admin Console, when editing a license or a depot, the “Change Comment” field no longer has a pre-filled value. A change comment must be entered in order to modify certain feilds of a license or depot.
If a license has a Shop reference, changes to the license contract number will not cause an email to be sent to the license owners or users. In general, changes to the contract details will not result in an email, as it is assumed the user is aware of the changes done in the Shop.
The following API calls now support the <shopreference> tag: “registeruser”, “updateuser”, “createdepot”, “updatedepot”, “createlicense”, “setlicensecontract”, “createaccount”, “updateaccount”.

Bounced Email Handling¶

A number of changes have been made to the handling of bounced emails (REGSERVER-1880):

Once the email status of a user account has been set to “Bounced” the status can only be reset by sending the user a “Confirmation Email”.

The user must click the link in the email in order to reset the email status before the Registration Server will resume sending emails to the user. This still applies if the user changes their email address. In this case the user will first receive an associated “Email Change Confirmation” email.
The setting ResetEmailLimit has been added. By default it is set to 20. The purpose of this setting is to avoid flooding the user’s inbox when the status of a large number of emails is reset. This is done by setting older emails to th “PAUSED” status.

When the user clicks in the link in the Conformation Email, all emails that have an error status are reset. If the number of emails reset exceeds ResetEmailLimit then the excess emails are “paused”.

The PAUSED status must be manually removed using the “Unpause Email” button available on the Email list in the user’s account. They status of any email can also be reset in the global “Mail Queue”, on the “View Mail Queue” page in the Admin Console.
There are a number of new functions available when you open the Mail Queue on the “Edit User” page in the Admin Console:

Delete All: This button will delete all emails in the user’s Mail Queue.

Delete Failed Emails: This will remove all emails with an error status,

including: Send-Error, Email-Bounced, Fatal-Error, Incorrect-Address.

If you wish to retry sending emails that are in error you must send a “Confirmation Email” to the user. See “Set Bounced Status” below.

Unpause Emails: If you have paused emails, use this button to manually

unpause up to ResetEmailLimit emails.

Manage Emails...: If you have the required privileges, this will take you to

the “View Mail Queue” page in the Admin Console, and display the current user’s emails.
The “Set Bounced Status” has been added to the “Edit User” page. The “Bounced” email status must be set on the user’s account before you can send “Conformation Email”. to the user. As described above, clicking on the link in the email will reset the status of all emails in the user’s Mail Queue.
If the email server is not reachable, the email will not remain in the “To-Be-Sent” state (REGSERVER-1882). Errors of this form include “Could not resolve host”, “Host not reachable” and connection timeouts. When such an error occurs, the “Send Emails” autotask will quit, and try to send the same email again on the next run.
Fixed a bug that resulted in the Reg Server background process hanging (infinite loop) when forwarding an email notification, if the user/email could not be found on the TeamDrive network (REGSERVER-1885).

5.0.0 (2024-08-01)¶

The “standalone” version of the Registration Server is no longer supported (REGSERVER-1823). This means that a Registration Server must always be connected to a TDNS (TeamDrive Name Server) instance. The options on setup of a new server are “Standard” or “Master” Registration Server.
A Provider may now specify that manual activation of devices is required (REGSERVER-1854). This feature enabled by setting the Provider setting; MANUAL_ACTIVATION_REQUIRED to True. See Requiring Manual Activation of Devices for a detailed description of this feature.
Added a new Provider setting: NEW_DEVICE_NOTIFICATION_LIST which is a list of users to be notified when a new device is installed.
The server now supports paging when fetching a large number of keys from the Key Repository (REGSERVER-1849). This fixes problems involving accounts with over 1200 spaces, but also requires a TeamDrive Client update (TDCLIENT-3241).
Added setting AssumeHttpsAccess (REGSERVER-1848). If set to True then the Registration Server will assume that clients are using HTTPS to connect to the server (see AssumeHttpsAccess for details).
Added new email template: “public-file-download” (HOSTSERVER-905). This is sent to notify users that a public file has been downloaded.
Changed the “From:” on license report emails from the Provider email address to the EMAIL_SENDER_EMAIL Provider setting (REGSERVER-1838).
API: The <shadowkeyhash> tag is now returned by several API calls (“loginuser”, “getuserdata”, “registeruser”, “verifyauthorizationtoken”, “getinboxkeyseq”, “authenticateuser”) so that the caller can detect a change of the user password, or an explicit logout (REGSERVER-1850).
Improved handling of various 2-Factor Authentication (2FA) flags (REGSERVER-1863). In general the rules are as follows:
1. Explicit DISABLE on the account level overrides everything (but cannot disable 2FA done by the External Authentication Service).
2. Explicit ENABLE (Email OTP, Google Authenticator or MS Authenticator) overrides everything (which means if 2FA is done by the External Authentication Service, then 2FA will be performed twice).
3. Otherwise:
  1. If 2FA is done by the External Authentication Service, then this disables the account level settings, but not the user level setting (see above).
  2. If 2FA is enable on the account level, then this applies.
  3. If 2FA is enable for Web logins only, on the account level, then will be applied.
Added support for updating the public/private keys of old TeamDrive client installations (REGSERVER-1873). Update to client version 5.1.2 is required.
Settings that allow the use of HTTP rather than HTTPS have been deprecated (REGSERVER-1865). This means HTTPS is now used by all URLs that reference the server and the setting EnforceHttps has therefore been removed.

The Provider settings: REG_SERVER_PROTOCOL and HOST_SERVER_PROTOCOL will be removed in a future version. These settings are now hidden (not visible in the Admin Console), and are set to “https” during the server upgrade process.

These setting control the protocol used by the TeamDrive clients when accessing all Registration and Host Servers. This change ensures that there are no longer any acceptions and all clients belonging to the Registration Server will use HTTPS when accessing TeamDrive servers.
The setting SimulateRegServer20 is deprecated and has been removed. Compatibility with TeamDrive 2.0 clients is no longer guaranteed by the Registration Server. Please upgrade to the latest version as soon as possible.
Fixed error: “Parameter login-url value missing” when creating a Web Portal service (REGSERVER-1847).

Security¶

Support HMAC hashing based keys for the Host Server API access (REGSERVER-1826).
It is now possible to set the Authorisation Type on services belonging to other Registration Servers (REGSERVER-1825). This applies to Shop and Web Portal services that are referenced using the SHOP_SERVICE_NAME and WEBPORTAL_SERVICE_NAME Provider settings.

In other words, if you have a Shop or Web Portal that provides services to multiple Registration Servers, then the authorisation type and key can be specified separately for each Registration Server.

The “References” column has been added to the Service list in the Admin Console, which indicates references to a service from other Providers. This column is only filled after a Registration Server update.
Added support for Microsoft Authenticator App for users that require 2-Factor authentication (REGSERVER-1861). This feature requires a client update.
The Registration Server no longer support the Diffie-Hellmen (DH) public/private keys, also known as DH/1.0 keys (REGSERVER-1864). Only RSA public/private keys are supported.

In some cases this may require a TeamDrive client update to version 5.2.0. This includes:
- some client installations from 2012 or earlier,
- the Key Repository is enabled with a large number of keys (> 500 Spaces),
- a large profile picture is uploaded,
- an large activity report is sent via email by the client.

External Authentication¶

You can now specify that an External Authentication Services performs Two-facter Authentication (2FA). In this case the Registration Server will not perform 2FA when the user’s account is set to 2FA required (REGSERVER-1815).
External authentication now supports “session based” login (REGSERVER-1851). Using this method, the TeamDrive App redirects to the Auth Service, and then use a (previously obtained) session ID to verify whether the login is successful. This removes the need for an embedded browser in the TeamDrive Desktop App.
External Authentication: when accessing a Authentication Service that does not return the service name (in the verify authentication token reply), then the Provider setting DEFAULT_AUTH_SERVICE_NAME must be set.

Note that this is only the case when dealing with an Authentication Service that has not been upgraded (or cannot be upgraded) to the latest version.

Administration Console¶

A column “Referenced By” has been added to the list of Services on the “Manage Domains & Services” page. This column contains a list of Providers that reference the service.
It is now possible to disable access to the Admin Console for a specific Provider (REGSERVER-1853). When disabled, no user or administrator of the Provider is allowed to login to the Admin Console.
When deleting a user you can now add a comment (REGSERVER-1827). This will appear in the change history of users in the Admin Console.
Fixed listing of Spaces on the “Edit Depot” Depot page (REGSERVER-1837).
Fixed the “Move Space” dialog on the “Edit Depot” page which was returning an when the Depot owner was entered (REGSERVER-1870).
Fixed the output of the “Edit Auto Task” page.
Removed certain incorrect entries from the Depot “Change History” (REGSERVER-1839).