Add support for the client-cert-not-required parameter.

manifests/client.pp

@@ -61,6 +61,13 @@
 #   Default: infinite
 #   Options: Integer or infinite
 #
+# [*auth_retry*]
+#   String. Controls how OpenVPN responds to username/password verification errors such
+#     as the client-side response to an AUTH_FAILED message from the server or verification
+#     failure of the private key password.
+#   Default: none
+#   Options: 'none' or 'nointeract' or 'interact'
+#
 # [*verb*]
 #   Integer.  Level of logging verbosity
 #   Default: 3
@@ -119,6 +126,7 @@
   $proto = 'tcp',
   $remote_host = $::fqdn,
   $resolv_retry = 'infinite',
+  $auth_retry = 'none',
   $verb = '3',
   $pam = false,
   $authuserpass = false,

manifests/server.pp

@@ -143,6 +143,10 @@
 #   Boolean. If true then set username-as-common-name
 #   Default: false
 #
+# [*client_cert_not_required*]
+#   Boolean. If true then set client-cert-not-required
+#   Default: false
+#
 # [*ldap_enabled*]
 #   Boolean. If ldap is enabled, do stuff
 #   Default: false
@@ -310,6 +314,7 @@
   $up = '',
   $down = '',
   $username_as_common_name = false,
+  $client_cert_not_required = false,
   $ldap_enabled = false,
   $ldap_server = '',
   $ldap_binddn = '',

spec/defines/openvpn_client_spec.rb

@@ -57,6 +57,7 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^ns\-cert\-type\s+server$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+3$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+20$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+none$/)}
   end
 
   context "setting all of the parameters" do
@@ -73,6 +74,7 @@
       'proto'                 => 'udp',
       'remote_host'           => 'somewhere',
       'resolv_retry'          => '2m',
+      'auth_retry'            => 'interact',
       'verb'                  => '1'
     } }
     let(:facts) { {
@@ -94,6 +96,7 @@
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^resolv-retry\s+2m$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^verb\s+1$/)}
     it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^mute\s+10$/)}
+    it { should contain_file('/etc/openvpn/test_server/download-configs/test_client/test_client.conf').with_content(/^auth-retry\s+interact$/)}
   end
 
 end

spec/defines/openvpn_server_spec.rb

@@ -294,6 +294,7 @@
       'email'         => 'testemail@example.org',
 
       'username_as_common_name' => true,
+      'client_cert_not_required' => true,
 
       'ldap_enabled'   => true,
       'ldap_server'    => 'ldaps://ldap.example.org:636',
@@ -334,6 +335,7 @@
 
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/test_server/auth/ldap.conf"$}) }
     it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^username-as-common-name$}) }
+    it { should contain_file('/etc/openvpn/test_server.conf').with_content(%r{^client-cert-not-required$}) }
 
   end
 

templates/client.erb

@@ -9,6 +9,7 @@ remote <%= scope.lookupvar('remote_host') %> <%= scope.lookupvar('port') %>
 <%= scope.lookupvar('compression') %>
 <% end -%>
 resolv-retry <%= scope.lookupvar('resolv_retry') %>
+auth-retry <%= scope.lookupvar('auth_retry') %>
 <% if scope.lookupvar('nobind') -%>
 nobind
 <% end -%>

templates/server.erb

@@ -93,3 +93,6 @@ username-as-common-name
 <% if scope.lookupvar('ldap_enabled') == true -%>
 plugin <%= scope.lookupvar('::openvpn::params::ldap_auth_plugin_location') %> "/etc/openvpn/<%= name %>/auth/ldap.conf"
 <% end -%>
+<% if scope.lookupvar('client_cert_not_required') -%>
+client-cert-not-required
+<% end -%>