Univention Bugzilla – Bug 55570
92univention-management-console-web-server.inst does not register a Keycloak client correctly on initial join
Last modified: 2023-02-01 17:24:20 CET
The line univention-keycloak "$@" saml/sp create --metadata-url="https://$hostname.$domainname/univention/saml/metadata" --umc-uid-mapper does not work during initial join. Problem is SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])" which seems to originate from not restarting the apache2 earlier. A new certificate is used during the join and this is not yet loaded by Apache. /etc/init.d/apache2 reload is done but this is not sufficient and too late in the script anyway. While at it, we could also remove the explicit init.d call? And we should double check --metadata-url="https://$hostname.$domainname/univention/saml/metadata when for SimpleSamlPHP Identifier="https://$fqdn/univention/saml/metadata is used. May become a problem, too?
For reference, to test this, run system-setup for a to-be-joined system up to the "finish" dialog, login via SSH to that machine and add the following lines to /etc/apt/sources.list deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-errata5.0-2/all/ deb [trusted=yes] http://omar.knut.univention.de/build2/ ucs_5.0-0-errata5.0-2/$(ARCH)/ deb http://updates.knut.univention.de/ ucs502 main deb http://updates.knut.univention.de/ errata502 main Then install all package updates. And then proceed with system-setup
6d38273cad Bug #55570: yaml 2083606acd Bug #55570: Restart apache2 before trying to register keycloak client Successful build Package: univention-management-console Version: 12.0.13-6A~5.0.0.202301282150 Branch: ucs_5.0-0 Scope: errata5.0-2 the apache2 service is now restarted before the univention-keycloak client registration.
a3b722b724 (HEAD -> 5.0-2, origin/5.0-2) Bug #55570: yaml f4690ada52 Bug #55570: Download metadata even if UCR umc/saml/idp-server has been set in ldap/force layer For keycloak usage, we recommend to create a UCR policy that sets umc/saml/idp-server to keycloak. The join then fails. When an UCR policy is set for umc/saml/idp-server the join fails because the joinscript removes the metadata, sets the UCR variable and expects the metadata to be downloaded again by the UCR module setup_saml_sp.py. This doesn't happen if the UCR variable has been set in an "upper" layer, e.g the ldap layer. I now call the setup script directly in the joinscript if the metadata has not been downloaded by the ucr set.
*** Bug 55509 has been marked as a duplicate of this bug. ***
OK: Setup + Join OK: Code OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x564> <https://errata.software-univention.de/#/?erratum=5.0x565>