diff --git a/manifests/client.pp b/manifests/client.pp index 06f5769f..ae764c12 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -61,6 +61,13 @@ # Default: infinite # Options: Integer or infinite # +# [*auth_retry*] +# String. Controls how OpenVPN responds to username/password verification errors such +# as the client-side response to an AUTH_FAILED message from the server or verification +# failure of the private key password. +# Default: none +# Options: 'none' or 'nointeract' or 'interact' +# # [*verb*] # Integer. Level of logging verbosity # Default: 3 @@ -119,6 +126,7 @@ $proto = 'tcp', $remote_host = $::fqdn, $resolv_retry = 'infinite', + $auth_retry = 'none', $verb = '3', $pam = false, $authuserpass = false, diff --git a/manifests/server.pp b/manifests/server.pp index bd7039ba..3b257617 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -143,6 +143,10 @@ # Boolean. If true then set username-as-common-name # Default: false # +# [*client_cert_not_required*] +# Boolean. If true then set client-cert-not-required +# Default: false +# # [*ldap_enabled*] # Boolean. If ldap is enabled, do stuff # Default: false @@ -310,6 +314,7 @@ $up = '', $down = '', $username_as_common_name = false, + $client_cert_not_required = false, $ldap_enabled = false, $ldap_server = '', $ldap_binddn = '', diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb index c9f78280..19c461d0 100644 --- a/spec/defines/openvpn_client_spec.rb +++ b/spec/defines/openvpn_client_spec.rb @@ -57,6 +57,7 @@ it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ns\-cert\-type\s+server$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+3$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+20$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+none$/)} end context "setting all of the parameters" do @@ -73,6 +74,7 @@ 'proto' => 'udp', 'remote_host' => 'somewhere', 'resolv_retry' => '2m', + 'auth_retry' => 'interact', 'verb' => '1' } } let(:facts) { { @@ -94,6 +96,7 @@ it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^resolv-retry\s+2m$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+1$/)} it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+10$/)} + it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+interact$/)} end end diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index 87667f9a..1968b3d1 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -294,6 +294,7 @@ 'email' => 'testemail@example.org', 'username_as_common_name' => true, + 'client_cert_not_required' => true, 'ldap_enabled' => true, 'ldap_server' => 'ldaps://ldap.example.org:636', @@ -334,6 +335,7 @@ it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/test_server/auth/ldap.conf"$}) } it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^username-as-common-name$}) } + it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-cert-not-required$}) } end diff --git a/templates/client.erb b/templates/client.erb index 2388b482..52509232 100644 --- a/templates/client.erb +++ b/templates/client.erb @@ -9,6 +9,7 @@ remote <%= scope.lookupvar('remote_host') %> <%= scope.lookupvar('port') %> <%= scope.lookupvar('compression') %> <% end -%> resolv-retry <%= scope.lookupvar('resolv_retry') %> +auth-retry <%= scope.lookupvar('auth_retry') %> <% if scope.lookupvar('nobind') -%> nobind <% end -%> diff --git a/templates/server.erb b/templates/server.erb index 6b2dbd39..37162bc5 100644 --- a/templates/server.erb +++ b/templates/server.erb @@ -93,3 +93,6 @@ username-as-common-name <% if scope.lookupvar('ldap_enabled') == true -%> plugin <%= scope.lookupvar('::openvpn::params::ldap_auth_plugin_location') %> "/etc/openvpn/<%= name %>/auth/ldap.conf" <% end -%> +<% if scope.lookupvar('client_cert_not_required') -%> +client-cert-not-required +<% end -%>