From 9852f644f79e7bd44d2de51485f4b7cccc448a37 Mon Sep 17 00:00:00 2001
From: Ivan Anfimov <lazekteam@gmail.com>
Date: Sun, 14 Sep 2025 22:04:03 +0000
Subject: [PATCH] Fix for fails to reload httpd due to unsupported
 OIDCXForwardedHeaders

In Rocky Linux 9, maximum available version package is
mod_auth_openidc-2.4.10-1.el9_6.2.x86_64

In Rocky Linux 10 is mod_auth_openidc-2.4.15-4.el10_0.1.x86_64

It is necessary to check the value of:
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11

according to the version of operating system.

Closes-Bug: #2123161
Change-Id: I0e4585e85426e57d3a2d6fc86ac2d6df00c09c79
Signed-off-by: Ivan Anfimov <lazekteam@gmail.com>
---
 vars/redhat.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/vars/redhat.yml b/vars/redhat.yml
index 263098b2..ccd0fd6d 100644
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -39,7 +39,9 @@ keystone_idp_distro_packages:
   - xmlsec1
 
 # From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
-_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: true
+# In Rocky Linux 9, max. version is mod_auth_openidc-2.4.10-*, in Rocky Linux 10 is mod_auth_openidc-2.4.15-*
+_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: >-
+  {{ (ansible_facts['distribution'] == 'Rocky' and ansible_facts['distribution_major_version'] == '9') | ternary(false, true) }}
 
 keystone_sp_apache_mod_packages:
   - name: shibboleth