Bug 56484 – ldapsOnly option removed from Keycloak 22

Bug 56484 - ldapsOnly option removed from Keycloak 22


Summary:	ldapsOnly option removed from Keycloak 22

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Keycloak
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-4-errata
Assigned To:	Julia Bremer
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-08-24 14:12 CEST by Julia Bremer
Modified:	2023-08-30 13:31 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2023-08-24 14:12:55 CEST

We used the ldapsOnly option for the truststore usage in Keycloak. 
This option has been removed and Keycloak will now default to "Always", which tracebacks. Probably a bug in Keycloak.
We need to modify univention-keycloak to adjust this option in both realm "master" and realm "ucs".

Comment 1 Felix Botner

2023-08-25 09:35:32 CEST

Looks good, worked in manual tests, for the jenkins tests i need to merge/build this, will do that now and start the tests.

Comment 2 Felix Botner

2023-08-25 09:47:29 CEST

Successful build
Package: univention-keycloak
Version: 1.0.9-29
Branch: ucs_5.0-0
Scope: errata5.0-4

Comment 3 Felix Botner

2023-08-25 09:49:51 CEST

Jenkins Test for current version: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-4/view/Keycloak/job/Keycloak%20Product%20Tests/38/

Jenksin Test for keycloak 22: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-4/view/Keycloak/job/Keycloak%20Branch%20Tests/9/

Comment 4 Felix Botner

2023-08-25 11:36:40 CEST

OK - 22 Branch test (just a minor error in 10_legacy_authorization
test_univention_keycloak_legacy_flow_config about some description attribute, we can fix that later)
OK - 21 Product test (just a minor error in  05_univention-keycloak.test_upgrade_config_status because we did not yet change the version of the join script for keycloak 22, we have to do this for the next app update)

This tells us that "useTruststoreSpi=never" works with keycloak 21 and 22.

Comment 5 Philipp Hahn

2023-08-30 13:31:43 CEST

<https://errata.software-univention.de/#/?erratum=5.0x791>