diff --git a/manifests/server.pp b/manifests/server.pp index 61c17e62..052c21ec 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -175,8 +175,8 @@ Boolean $ldap_tls_enable = false, String $ldap_tls_ca_cert_file = '', String $ldap_tls_ca_cert_dir = '', - String $ldap_tls_client_cert_file = '', - String $ldap_tls_client_key_file = '', + Optional[Stdlib::Absolutepath] $ldap_tls_client_cert_file = undef, + Optional[Stdlib::Absolutepath] $ldap_tls_client_key_file = undef, Integer $ca_expire = 3650, Integer $key_expire = 3650, String $key_cn = '', diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb index 2d922887..9afcac9a 100644 --- a/spec/defines/openvpn_server_spec.rb +++ b/spec/defines/openvpn_server_spec.rb @@ -233,6 +233,62 @@ end end + case facts[:os]['family'] + when 'Debian' + # ldap auth needs the ldap package and that is only defined for a few OSes (including debian) + context 'debian' do + context 'creating a server with ldap authentication enabled' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'ldap_enabled' => true, + 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', + 'ldap_bindpass' => 'ldappass123', + 'ldap_tls_enable' => true, + 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', + 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs' + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSCertFile.*$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').without_content(%r{^\s+TLSKeyFile.*$}) } + end + + context 'creating a server with ldap authentication enabled and using ldap client certificates' do + let(:params) do + { + 'country' => 'CO', + 'province' => 'ST', + 'city' => 'Some City', + 'organization' => 'example.org', + 'email' => 'testemail@example.org', + 'ldap_enabled' => true, + 'ldap_binddn' => 'dn=foo,ou=foo,ou=com', + 'ldap_bindpass' => 'ldappass123', + 'ldap_tls_enable' => true, + 'ldap_tls_ca_cert_file' => '/etc/ldap/ca.pem', + 'ldap_tls_ca_cert_dir' => '/etc/ldap/certs', + 'ldap_tls_client_cert_file' => '/etc/ldap/client-cert.pem', + 'ldap_tls_client_key_file' => '/etc/ldap/client-key.pem' + } + end + + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSEnable\s+yes$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertFile\s+/etc/ldap/ca.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCACertDir\s+/etc/ldap/certs$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSCertFile\s+/etc/ldap/client-cert.pem$}) } + it { is_expected.to contain_file('/etc/openvpn/test_server/auth/ldap.conf').with_content(%r{^\s+TLSKeyFile\s+/etc/ldap/client-key.pem$}) } + end + end + end + context 'creating a server setting all parameters' do let(:params) do { diff --git a/templates/ldap.erb b/templates/ldap.erb index ef6ab7d2..e2690258 100644 --- a/templates/ldap.erb +++ b/templates/ldap.erb @@ -11,8 +11,10 @@ TLSEnable yes TLSCACertFile <%= @ldap_tls_ca_cert_file %> TLSCACertDir <%= @ldap_tls_ca_cert_dir %> +<% if @ldap_tls_client_cert_file or @ldap_tls_client_key_file -%> TLSCertFile <%= @ldap_tls_client_cert_file %> TLSKeyFile <%= @ldap_tls_client_key_file %> +<% end -%> <% else %> TLSEnable no <% end -%>