feat(integration): INT-05 Odoo OIDC docker test + CI

- docker/odoo-ldap-seed.ldif: FreeIPA-style seed (odooadmin/odoouser1/
  odoouser2, pw: Lab05Password!; groups: admins + odoo-users)
- docker/docker-compose.integration.yml: odoo-int-ldap-seed init service;
  Keycloak depends_on seed_completed; LDAP BaseDN -> cn=users,cn=accounts;
  Keycloak OIDC env vars added (KEYCLOAK_URL/REALM/CLIENT_ID)
- tests/labs/test-lab-13-05.sh: INT-05 full test (LDAP seed verify; KC
  realm/federation/sync/users; OIDC client; Odoo JSON-RPC auth + provider
  check; OIDC token/userinfo/introspect); removed duplicate dead-code stub
- .github/workflows/ci.yml: lab-05-smoke -> INT-05; python3 added; wait
  order: PostgreSQL -> OpenLDAP -> ldap-seed -> WireMock -> KC(240s) -> Odoo

Author: RedjiJB

.github/workflows/ci.yml

@@ -190,24 +190,28 @@ jobs:
         run: docker compose -f docker/docker-compose.sso.yml down -v
 
   lab-05-smoke:
-    name: Lab 05 -- Odoo Advanced Integration (WireMock Snipe-IT REST + SuiteCRM sync)
+    name: Lab 05 -- Odoo Advanced Integration (INT-05 Odoo↔Keycloak OIDC + WireMock)
     runs-on: ubuntu-latest
     needs: validate
     continue-on-error: true
     steps:
       - uses: actions/checkout@v4
       - name: Install tools
-        run: sudo apt-get install -y curl postgresql-client netcat-openbsd ldap-utils
+        run: sudo apt-get install -y curl postgresql-client netcat-openbsd ldap-utils python3
       - name: Validate integration compose
         run: docker compose -f docker/docker-compose.integration.yml config -q && echo "Integration compose valid"
       - name: Start integration stack
         run: docker compose -f docker/docker-compose.integration.yml up -d
       - name: Wait for PostgreSQL
         run: timeout 120 bash -c 'until docker exec odoo-i05-db pg_isready -U odoo; do sleep 5; done'
+      - name: Wait for OpenLDAP
+        run: timeout 120 bash -c 'until docker exec odoo-i05-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapLab05! cn=admin >/dev/null 2>&1; do sleep 5; done'
+      - name: Wait for LDAP seed
+        run: timeout 60 bash -c 'until docker inspect odoo-int-ldap-seed --format "{{.State.Status}}" 2>/dev/null | grep -q exited; do sleep 5; done'
       - name: Wait for WireMock
         run: timeout 60 bash -c 'until curl -sf http://localhost:8372/__admin/health; do sleep 5; done'
       - name: Wait for Keycloak
-        run: timeout 300 bash -c 'until curl -sf http://localhost:8470/realms/master; do sleep 10; done'
+        run: timeout 240 bash -c 'until curl -sf http://localhost:8470/realms/master; do sleep 10; done'
       - name: Wait for Mailhog
         run: timeout 60 bash -c 'until curl -sf http://localhost:8670/api/v2/messages; do sleep 5; done'
       - name: Wait for Odoo web

docker/docker-compose.integration.yml

@@ -14,7 +14,12 @@
 #   + WireMock also mocks SuiteCRM JSONRPC (customer sync partner)
 #   + Odoo integration env vars: SNIPEIT_URL, SNIPEIT_TOKEN, SUITECRM_URL
 #   + Redis retained for Odoo session cache
-# Integration tested: Odoo ↔ Snipe-IT (asset procurement), Odoo ↔ SuiteCRM (customer sync)
+# Integration tested: Odoo ↔ Keycloak OIDC (INT-05) · Odoo ↔ Snipe-IT (asset procurement) · Odoo ↔ SuiteCRM (customer sync)
+# =============================================================================
+# INT-05 additions:
+#   + odoo-int-ldap-seed: init container — loads FreeIPA-style LDIF (odooadmin/odoouser1/odoouser2)
+#   + Keycloak depends on seed completion for LDAP federation to find pre-seeded users
+#   + LDAP_BASE_DN updated to cn=users,cn=accounts,dc=lab,dc=local (FreeIPA tree)
 # =============================================================================
 
 name: it-stack-odoo-lab05
@@ -97,6 +102,27 @@ services:
           memory: 256M
           cpus: "0.25"
 
+  # ── LDAP seed (INT-05) ──────────────────────────────────────────────────
+  odoo-int-ldap-seed:
+    image: osixia/openldap:1.5.0
+    container_name: odoo-int-ldap-seed
+    restart: no
+    entrypoint: >
+      /bin/bash -c
+      "sleep 8 &&
+      ldapadd -x -H ldap://odoo-i05-ldap:389
+        -D 'cn=admin,dc=lab,dc=local'
+        -w LdapLab05!
+        -f /ldif/odoo-ldap-seed.ldif &&
+      echo 'SEED_COMPLETE'"
+    volumes:
+      - ./odoo-ldap-seed.ldif:/ldif/odoo-ldap-seed.ldif:ro
+    depends_on:
+      odoo-i05-ldap:
+        condition: service_healthy
+    networks:
+      - odoo-i05-net
+
   # ── Keycloak ─────────────────────────────────────────────────────────────
   odoo-i05-kc:
     image: quay.io/keycloak/keycloak:24.0.3
@@ -113,6 +139,9 @@ services:
       KC_HTTP_ENABLED: "true"
     ports:
       - "8470:8080"
+    depends_on:
+      odoo-int-ldap-seed:
+        condition: service_completed_successfully
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8080/realms/master || exit 1"]
       interval: 15s
@@ -188,11 +217,13 @@ services:
       PORT: "5432"
       USER: odoo
       PASSWORD: OdooLab05!
-      # LDAP integration
+      # LDAP integration (FreeIPA-style tree — seeded by odoo-int-ldap-seed)
       LDAP_HOST: odoo-i05-ldap
       LDAP_PORT: "389"
-      LDAP_BASE_DN: dc=lab,dc=local
+      LDAP_BASE_DN: cn=users,cn=accounts,dc=lab,dc=local
       LDAP_FILTER: (uid=%s)
+      LDAP_BIND_DN: cn=readonly,dc=lab,dc=local
+      LDAP_BIND_PASSWORD: ReadOnly05!
       LDAP_ADMIN_DN: cn=admin,dc=lab,dc=local
       LDAP_ADMIN_PASSWORD: LdapLab05!
       # Keycloak OIDC

docker/odoo-ldap-seed.ldif

@@ -0,0 +1,77 @@
+# odoo-ldap-seed.ldif
+# FreeIPA-style LDAP seed for Odoo Lab 05 (INT-05: Odoo↔Keycloak OIDC)
+# Tree:  cn=accounts,dc=lab,dc=local
+# Users: odooadmin · odoouser1 · odoouser2  (pw: Lab05Password!)
+# Groups: cn=admins · cn=odoo-users
+
+# ── Organizational units (FreeIPA-style) ─────────────────────────────────────
+dn: cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: nsContainer
+cn: accounts
+
+dn: cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: nsContainer
+cn: users
+
+dn: cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: nsContainer
+cn: groups
+
+# ── Users ────────────────────────────────────────────────────────────────────
+dn: uid=odooadmin,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: odooadmin
+cn: Odoo Admin
+sn: Admin
+givenName: Odoo
+mail: odooadmin@lab.local
+userPassword: Lab05Password!
+description: Odoo ERP administrator — lab seed account
+
+dn: uid=odoouser1,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: odoouser1
+cn: Odoo User One
+sn: User One
+givenName: Odoo
+mail: odoouser1@lab.local
+userPassword: Lab05Password!
+description: Odoo ERP standard user — lab seed account
+
+dn: uid=odoouser2,cn=users,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+uid: odoouser2
+cn: Odoo User Two
+sn: User Two
+givenName: Odoo
+mail: odoouser2@lab.local
+userPassword: Lab05Password!
+description: Odoo ERP standard user — lab seed account
+
+# ── Groups ───────────────────────────────────────────────────────────────────
+dn: cn=admins,cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: groupOfNames
+cn: admins
+description: Odoo ERP administrators group
+member: uid=odooadmin,cn=users,cn=accounts,dc=lab,dc=local
+
+dn: cn=odoo-users,cn=groups,cn=accounts,dc=lab,dc=local
+objectClass: top
+objectClass: groupOfNames
+cn: odoo-users
+description: Odoo ERP standard users group
+member: uid=odoouser1,cn=users,cn=accounts,dc=lab,dc=local
+member: uid=odoouser2,cn=users,cn=accounts,dc=lab,dc=local