Problem
If Keycloak was previously successfully installed on a system in the domain, but then removed, it is possible that the Postgres DB was not carefully cleaned up or removed.
This can lead to the error that when Keycloak is now try to installed on the same or another system, the Postgres DB uses an outdated password and therefore does not have the correct credentials. This will result in an unsuccessful installation of Keycloak and the 50.keycloak.inst script.
Root Cause Bug 57313
You will get this Traceback in the /var/log/univention/join.log
RUNNING 50keycloak.inst
2024-05-21 12:40:56.845491270+02:00 (in joinscript_init)
No module named 'ucs-school-ucr-xxx-xx'
Create ucs/web/overview/entries/admin/keycloak/description/de
Create ucs/web/overview/entries/admin/keycloak/description
Create ucs/web/overview/entries/admin/keycloak/label
Create ucs/web/overview/entries/admin/keycloak/link
Create ucs/web/overview/entries/admin/keycloak/icon
Create ucs/web/overview/entries/admin/keycloak/link-target
Module: ucs-school-ucr-xxx-xx
Module: create_portal_entries
Object modified: cn=keycloak,cn=entry,cn=portals,cn=univention,dc=edu,dc=univention,dc=de
Object exists: cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de
INFO: No change of core data of object 67keycloak.
No modification: cn=67keycloak,cn=ldapacl,cn=univention,dc=edu,dc=univention,dc=de
Waiting for activation of the extension object 67keycloak: OK
Object exists: cn=services,cn=univention,dc=edu,dc=univention,dc=de
Object created: cn=keycloak DB,cn=services,cn=univention,dc=edu,dc=univention,dc=de
Object modified: cn=xxx,cn=dc,cn=computers,dc=edu,dc=univention,dc=de
File: /etc/apache2/sites-available/univention-keycloak.conf
File: /etc/apache2/sites-available/univention-keycloak.conf
Site univention-keycloak already enabled
Warning: The file '/etc/postgresql/11/main/pg_hba.conf' is not registered as an UCR template.
Warning: The file '/etc/postgresql/15/main/pg_hba.conf' is not registered as an UCR template.
Adding A record "sso xx.xxx.xx.xx" to zone xxx.univention.de...
21.05.24 12:41:06.797 DEBUG_INIT
21.05.24 12:41:06.800 DEBUG_EXIT
Restarting keycloak ...
^MRestarting keycloak ... done ^M
Traceback (most recent call last):
File "/usr/sbin/univention-keycloak", line 3101, in <module>
sys.exit(main())
File "/usr/sbin/univention-keycloak", line 3097, in main
return opt.func(opt) or 0
File "/usr/sbin/univention-keycloak", line 510, in get_realms
session = UniventionKeycloakAdmin(opt)
File "/usr/sbin/univention-keycloak", line 191, in __init__
verify=opt.no_ssl_verify,
File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__
self.get_token()
File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token
self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)
File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token
return raise_error_from_response(data_raw, KeycloakGetError)
File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response
response_body=response.content)
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'
You will receive the same error message if you execute the following keycloak command.
univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get
Traceback (most recent call last):
File "/usr/sbin/univention-keycloak", line 3101, in <module>
sys.exit(main())
File "/usr/sbin/univention-keycloak", line 3097, in main
return opt.func(opt) or 0
File "/usr/sbin/univention-keycloak", line 510, in get_realms
session = UniventionKeycloakAdmin(opt)
File "/usr/sbin/univention-keycloak", line 191, in __init__
verify=opt.no_ssl_verify,
File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 96, in __init__
self.get_token()
File "/usr/lib/python3/dist-packages/keycloak/keycloak_admin.py", line 1786, in get_token
self._token = self.keycloak_openid.token(self.username, self.password, grant_type=grant_type)
File "/usr/lib/python3/dist-packages/keycloak/keycloak_openid.py", line 201, in token
return raise_error_from_response(data_raw, KeycloakGetError)
File "/usr/lib/python3/dist-packages/keycloak/exceptions.py", line 108, in raise_error_from_response
response_body=response.content)
keycloak.exceptions.KeycloakAuthenticationError: 401: b'{"error":"invalid_grant","error_description":"Invalid user credentials"}'
Solution
As this was a new installation in our case and therefore no data loss would occur, we removed the keycloak installation including postgres db.
-
univention-app remove keycloak -
rm /etc/keycloak.secret* -
su postgres -
dropdb keycloak
Now it is possible for you to perform the Keycloak installation again and the Postgres DB is renwe and receives the current correct password and Keycloak can access the Postgres DB.
-
univention-app install keycloak -
univention-keycloak --binduser "${keycloak_admin_user:-admin}" realms get