Issue #8305: Unexpected behavior when using deprecated access control directives in httpd 2.4 - freeipa

freeipa

#8305 Unexpected behavior when using deprecated access control directives in httpd 2.4

Closed: fixed 10 months ago by rcritten. Opened 3 years ago by mrjoshuap.

Issue

As a Red Hat Customer utilizing Red Hat Identity Management, an unmodified installation should pass all Red Hat Insights Advisor Recommendations.

This host is running httpd-2.4.37-21.module+el8.2.0+5008+cca404a3 and using the following old directives (Order, Allow or Deny) which have been deprecated:

Configuration file /etc/httpd/conf.d/ipa.conf

        Allow from all

Red Hat recommends that you replace the old directives ("Order", "Allow" and "Deny") with the new directive ("Require") in httpd-2.4. Please check the Upgrading to 2.4 from 2.2 guide for more information.

Steps to Reproduce

Install RHEL8, update to latest
Install and configure ipa-server
Register System Red Hat Insights
View Advisor recommendations, shown in issue

Actual behavior

Red Hat Insights Advisor includes recommendation on the default IPA installation:

Unexpected behavior when using deprecated access control directives in httpd 2.4

Expected behavior

Red Hat Insights Advisor should have no recommendations related to a vanilla IPA installation.

Version/Release/Distribution

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.2 (Ootpa)

$ rpm -q ipa-server ipa-client 389-ds-base pki-ca krb5-server
ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
ipa-client-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
389-ds-base-1.4.2.4-8.module+el8.2.0+5959+cfcaedbd.x86_64
pki-ca-10.8.3-2.module+el8.2.0+6294+b7db4606.noarch
krb5-server-1.17-18.el8.x86_64

$ rpm -qa | grep httpd
httpd-tools-2.4.37-21.module+el8.2.0+5008+cca404a3.x86_64
httpd-filesystem-2.4.37-21.module+el8.2.0+5008+cca404a3.noarch
httpd-2.4.37-21.module+el8.2.0+5008+cca404a3.x86_64

Additional info:

While I cannot identify any issues or problems related to the recommendation, the Insights Advisor should return a clean result.

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4634
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8.7

3 years ago

cheimes commented 3 years ago

I'm trying to get rid of all deprecated directives from mod_access_compat but my PR broke some tests. It seems like the route /ipa/migration requires authentication although I set AuthType None and Require all granted.

cheimes commented 3 years ago

master:

2bfe5ff Use httpd 2.4 syntax for access control

ipa-4-8:

84d15da Use httpd 2.4 syntax for access control

rcritten commented 10 months ago

Looks like this change is complete. Closing as fixed.

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue set to the milestone: None (was: FreeIPA 4.8.7)
- Issue status updated to: Closed (was: Open)

10 months ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/4634

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8305 Unexpected behavior when using deprecated access control directives in httpd 2.4 Closed: fixed 10 months ago by rcritten. Opened 3 years ago by mrjoshuap.

Issue

Steps to Reproduce

Actual behavior

Expected behavior

Version/Release/Distribution

Additional info:

Metadata

#8305 Unexpected behavior when using deprecated access control directives in httpd 2.4

Closed: fixed 10 months ago by rcritten. Opened 3 years ago by mrjoshuap.