From 36e47e32da0d78f85773968395818c3a81f7953f Mon Sep 17 00:00:00 2001
From: Ilya Kulakov <kulakov.ilya@gmail.com>
Date: Mon, 26 May 2014 07:02:51 -0400
Subject: [PATCH 1/2] Add support for the client-cert-not-required parameter.

---
 manifests/server.pp                 | 5 +++++
 spec/defines/openvpn_server_spec.rb | 2 ++
 templates/server.erb                | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/manifests/server.pp b/manifests/server.pp
index bd7039ba..3b257617 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -143,6 +143,10 @@
 #   Boolean. If true then set username-as-common-name
 #   Default: false
 #
+# [*client_cert_not_required*]
+#   Boolean. If true then set client-cert-not-required
+#   Default: false
+#
 # [*ldap_enabled*]
 #   Boolean. If ldap is enabled, do stuff
 #   Default: false
@@ -310,6 +314,7 @@
   $up = '',
   $down = '',
   $username_as_common_name = false,
+  $client_cert_not_required = false,
   $ldap_enabled = false,
   $ldap_server = '',
   $ldap_binddn = '',
diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
index 87667f9a..1968b3d1 100644
--- a/spec/defines/openvpn_server_spec.rb
+++ b/spec/defines/openvpn_server_spec.rb
@@ -294,6 +294,7 @@
       'email'         => 'testemail@example.org',
 
       'username_as_common_name' => true,
+      'client_cert_not_required' => true,
 
       'ldap_enabled'   => true,
       'ldap_server'    => 'ldaps://ldap.example.org:636',
@@ -334,6 +335,7 @@
 
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/test_server/auth/ldap.conf"$}) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^username-as-common-name$}) }
+    it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-cert-not-required$}) }
 
   end
 
diff --git a/templates/server.erb b/templates/server.erb
index 6b2dbd39..37162bc5 100644
--- a/templates/server.erb
+++ b/templates/server.erb
@@ -93,3 +93,6 @@ username-as-common-name
 <% if scope.lookupvar('ldap_enabled') == true -%>
 plugin <%= scope.lookupvar('::openvpn::params::ldap_auth_plugin_location') %> "/etc/openvpn/<%= name %>/auth/ldap.conf"
 <% end -%>
+<% if scope.lookupvar('client_cert_not_required') -%>
+client-cert-not-required
+<% end -%>

From 8d604a275d6ad75a313a42f4901adec725df897b Mon Sep 17 00:00:00 2001
From: Ilya Kulakov <kulakov.ilya@gmail.com>
Date: Mon, 26 May 2014 08:47:48 -0400
Subject: [PATCH 2/2] Add support for the auth-retry parameter.

---
 manifests/client.pp                 | 8 ++++++++
 spec/defines/openvpn_client_spec.rb | 3 +++
 templates/client.erb                | 1 +
 3 files changed, 12 insertions(+)

diff --git a/manifests/client.pp b/manifests/client.pp
index 06f5769f..ae764c12 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -61,6 +61,13 @@
 #   Default: infinite
 #   Options: Integer or infinite
 #
+# [*auth_retry*]
+#   String. Controls how OpenVPN responds to username/password verification errors such
+#     as the client-side response to an AUTH_FAILED message from the server or verification
+#     failure of the private key password.
+#   Default: none
+#   Options: 'none' or 'nointeract' or 'interact'
+#
 # [*verb*]
 #   Integer.  Level of logging verbosity
 #   Default: 3
@@ -119,6 +126,7 @@
   $proto = 'tcp',
   $remote_host = $::fqdn,
   $resolv_retry = 'infinite',
+  $auth_retry = 'none',
   $verb = '3',
   $pam = false,
   $authuserpass = false,
diff --git a/spec/defines/openvpn_client_spec.rb b/spec/defines/openvpn_client_spec.rb
index c9f78280..19c461d0 100644
--- a/spec/defines/openvpn_client_spec.rb
+++ b/spec/defines/openvpn_client_spec.rb
@@ -57,6 +57,7 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ns\-cert\-type\s+server$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+3$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+20$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+none$/)}
   end
 
   context "setting all of the parameters" do
@@ -73,6 +74,7 @@
       'proto'                 => 'udp',
       'remote_host'           => 'somewhere',
       'resolv_retry'          => '2m',
+      'auth_retry'            => 'interact',
       'verb'                  => '1'
     } }
     let(:facts) { {
@@ -94,6 +96,7 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^resolv-retry\s+2m$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+1$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+10$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+interact$/)}
   end
 
 end
diff --git a/templates/client.erb b/templates/client.erb
index 2388b482..52509232 100644
--- a/templates/client.erb
+++ b/templates/client.erb
@@ -9,6 +9,7 @@ remote <%= scope.lookupvar('remote_host') %> <%= scope.lookupvar('port') %>
 <%= scope.lookupvar('compression') %>
 <% end -%>
 resolv-retry <%= scope.lookupvar('resolv_retry') %>
+auth-retry <%= scope.lookupvar('auth_retry') %>
 <% if scope.lookupvar('nobind') -%>
 nobind
 <% end -%>