openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

Fix for fails to reload httpd due to unsupported OIDCXForwardedHeaders

Browse Source 
In Rocky Linux 9, maximum available version package is
mod_auth_openidc-2.4.10-1.el9_6.2.x86_64

In Rocky Linux 10 is mod_auth_openidc-2.4.15-4.el10_0.1.x86_64

It is necessary to check the value of:
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11

according to the version of operating system.

Closes-Bug: #2123161
Change-Id: I0e4585e85426e57d3a2d6fc86ac2d6df00c09c79
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>
This commit is contained in:
Ivan Anfimov
2025-09-14 22:04:03 +00:00
parent b44fa90cf1
commit 9852f644f7
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
vars/redhat.yml
View File

@@ -39,7 +39,9 @@ keystone_idp_distro_packages:
- xmlsec1
# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: true
# In Rocky Linux 9, max. version is mod_auth_openidc-2.4.10-*, in Rocky Linux 10 is mod_auth_openidc-2.4.15-*
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: >-
{{ (ansible_facts['distribution'] == 'Rocky' and ansible_facts['distribution_major_version'] == '9') | ternary(false, true) }}
keystone_sp_apache_mod_packages:
- name: shibboleth