5.0-10 to 5.2 - Keycloak MANDATORY?

UCS - Univention Corporate Server
, , ,
1

Hello,

After a relatively painful migration away from kopano last year, we are now facing an upgrade from 5.0-10 to 5.2.

The pre-upgrade script for 5.2-4 runs smoothly and reports no errors (which, as we know, doesn’t mean THAT much).

However, the migration guide (1. Introduction — Migration guide: SimpleSAMLPHP to Keycloak) for keycloak is a closed book to me, even though I have been working with Linux (Debian, Mint) and UCS (since the c’t edition) for many years.

OpenID was never used anyway, and SimpleSAMLphp was not used consciously or intentionally, at least.
However, the various formulations in the migration guide “…or you are absolutely sure no service uses SimpleSAMLphp…” leave me in doubt, and I simply cannot figure out how I can definitely check whether I need to install Keycloak and perform a migration or not!

It does mention “Get an overview of all the services that use SimpleSAMLphp and their settings” but I can’t find any specific instructions on how to check this.

Could someone please help me out here?

Best regards

2

Hi,

univention-keycloak-migration-status will report the existing SAML/OIDC objects.
If you never configured SSO in your environment you will most likely just see some entries that have been created by default for UMC and other examples.
In those cases it is usually save to remove them as mentioned in the docs.

And no, if you dont need SSO you dont have to install Keycloak.

hth
Dirk

1 Like
3

Hello,

Many thanks @ahrnke – after reading your helpful post and performing the upgrade, I also found this KB article :man_facepalming:

There were still a few pitfalls:

  • Even after pruning all unnecessary kernels, /boot still did not have enough free space. Solved by: Problem: Checking disk_space FAIL
  • When upgrading from intermediate stage 5.1 to 5.2, initramfs failed because there was still a deprecated open-vm-tools module (I think it was ‘vmxnet’). I had to deactivate this and uninstall the outdated open-vm-tools.
  • In the end, Apache failed to start because the php 7.3 module was still active, even though the ‘.so’ file is no longer present. This was fixed with a2dismod. As far as I understand, these versions of PHP are no longer supported anyway. (Problem:UCS 5.2 - all php packages are removed since the upgrade). Maybe one should remove the remains?
  • The unsuccessful attempts 1-60 of ‘Try to download idp metadata’ repeatedly delayed the upgrade process for a some time. Since SSO was never used, I assume that this part is simply not there.

At the moment, everything seems to be running smoothly, except that a ‘kopano-cfg’ keeps popping up now an then in the log files, even though Kopano has been uninstalled for a year.

Best regards,
TP