From 1033bede3dc550375794101eb2749f38f565ffe4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 22 Oct 2018 16:09:57 +0200
Subject: [PATCH 01/13] add support for require ldap-group

---
 manifests/apache/conf.pp  | 12 +++++++++++-
 manifests/apache/vhost.pp | 10 ++++++++++
 templates/apache/conf.erb |  7 +++++++
 templates/apache/ldap.erb |  8 ++++++++
 4 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp
index 2533abe4..8039d475 100644
--- a/manifests/apache/conf.pp
+++ b/manifests/apache/conf.pp
@@ -51,6 +51,14 @@
 #   (string) Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot bind with the credentials
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
 #
+# [*ldap_require_group]
+#   (string) LDAP group to require on login
+#   No default ($::puppetboard::params::ldap_require_group)
+#
+# [*ldap_group_attribute]
+#   (string) LDAP group attribute for LDAP group
+#   No default ($::puppetboard::params::ldap_group_attribute)
+#
 # === Notes:
 #
 # Make sure you have purge_configs set to false in your apache class!
@@ -69,7 +77,9 @@
   Optional[String] $ldap_bind_dn            = undef,
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
-  Optional[String] $ldap_bind_authoritative = undef
+  Optional[String] $ldap_bind_authoritative = undef,
+  Optional[String] $ldap_require_group      = undef,
+  Optional[String] $ldap_group_attribute    = undef,
 ) inherits ::puppetboard::params {
 
   $docroot = "${basedir}/puppetboard"
diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp
index 2a73ac19..dbf23190 100644
--- a/manifests/apache/vhost.pp
+++ b/manifests/apache/vhost.pp
@@ -71,6 +71,14 @@
 #   (string) Determines if other authentication providers are used 
 #            when a user can be mapped to a DN but the server cannot bind with the credentials
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
+#
+# [*ldap_require_group]
+#   (string) LDAP group to require on login
+#   No default ($::puppetboard::params::ldap_require_group)
+#
+# [*ldap_group_attribute]
+#   (string) LDAP group attribute for LDAP group
+#   No default ($::puppetboard::params::ldap_group_attribute)
 class puppetboard::apache::vhost (
   String $vhost_name,
   String $wsgi_alias                        = '/',
@@ -88,6 +96,8 @@
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
+  Optional[String] $ldap_require_group      = undef,
+  Optional[String] $ldap_group_attribute    = undef,
   Hash $custom_apache_parameters            = {},
 ) inherits ::puppetboard::params {
 
diff --git a/templates/apache/conf.erb b/templates/apache/conf.erb
index 69a2f90a..792ffb43 100644
--- a/templates/apache/conf.erb
+++ b/templates/apache/conf.erb
@@ -32,6 +32,13 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
+   <% if @ldap_require_group != false %>
+   <% if @ldap_group_attribute %>
+   AuthLDAPGroupAttribute <%= @ldap_group_attribute -%>
+   <% end %>
+   Require ldap-group <%= @ldap_require_group -%>
+   <% else %>
    Require valid-user
+   <% end %>
 </LocationMatch>
 <% end -%>
diff --git a/templates/apache/ldap.erb b/templates/apache/ldap.erb
index 9d07be17..948f7d51 100644
--- a/templates/apache/ldap.erb
+++ b/templates/apache/ldap.erb
@@ -17,5 +17,13 @@
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
+   <% if @ldap_require_group != false %>
+   <% if @ldap_group_attribute %>
+   AuthLDAPGroupAttribute <%= @ldap_group_attribute -%>
+   <% end %>
+   Require ldap-group <%= @ldap_require_group -%>
+   <% else %>
    Require valid-user
+   <% end %>
+
 </LocationMatch>

From 3408cc3b66990cf892230b6b88a49f306f90ca5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 13:41:00 +0100
Subject: [PATCH 02/13] add tests for require ldap-group

---
 spec/acceptance/class_spec.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index cf1ed9ec..4f3fefce 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -126,6 +126,8 @@ class { 'puppetboard::apache::conf':
         ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
         ldap_bind_password => 'password',
         ldap_url     => 'ldap://puppet.example.com',
+		ldap_require_group => true,
+		ldap_group_attribute => 'cn=admins=cn=groups,dc=puppet,dc=example,dc=com',
       }
       EOS
 
@@ -138,6 +140,8 @@ class { 'puppetboard::apache::conf':
       it { is_expected.to contain 'AuthBasicProvider ldap' }
       it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
       it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
+	  it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
+      it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
     end
     describe file('/srv/puppetboard/puppetboard/settings.py') do
       it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }

From 003f649b85ee059cdc813e44ba3740fad6a54191 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 13:51:23 +0100
Subject: [PATCH 03/13] remove AuthLDAPBindDN repeat

---
 spec/acceptance/class_spec.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index 4f3fefce..45effdff 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -140,8 +140,7 @@ class { 'puppetboard::apache::conf':
       it { is_expected.to contain 'AuthBasicProvider ldap' }
       it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
       it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
-	  it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
-      it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
+	  it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
     end
     describe file('/srv/puppetboard/puppetboard/settings.py') do
       it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }

From a97f7d591a219b9f30093cd5a21e44642805a915 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 13:54:29 +0100
Subject: [PATCH 04/13] replace tabs with spaces

---
 spec/acceptance/class_spec.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index 45effdff..3ad93605 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -126,8 +126,8 @@ class { 'puppetboard::apache::conf':
         ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
         ldap_bind_password => 'password',
         ldap_url     => 'ldap://puppet.example.com',
-		ldap_require_group => true,
-		ldap_group_attribute => 'cn=admins=cn=groups,dc=puppet,dc=example,dc=com',
+        ldap_require_group => true,
+        ldap_group_attribute => 'cn=admins=cn=groups,dc=puppet,dc=example,dc=com',
       }
       EOS
 
@@ -140,7 +140,7 @@ class { 'puppetboard::apache::conf':
       it { is_expected.to contain 'AuthBasicProvider ldap' }
       it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
       it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
-	  it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
+      it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
     end
     describe file('/srv/puppetboard/puppetboard/settings.py') do
       it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }

From a684660d7fef299fad3d7d11add91a563e2ea186 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 14:21:39 +0100
Subject: [PATCH 05/13] ldap_require_group should be boolean

---
 manifests/apache/conf.pp  | 5 +++--
 manifests/apache/vhost.pp | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp
index 8039d475..e8f2fd41 100644
--- a/manifests/apache/conf.pp
+++ b/manifests/apache/conf.pp
@@ -52,8 +52,8 @@
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
 #
 # [*ldap_require_group]
-#   (string) LDAP group to require on login
-#   No default ($::puppetboard::params::ldap_require_group)
+#   (bool) LDAP group to require on login
+#   Default to False ($::puppetboard::params::ldap_require_group)
 #
 # [*ldap_group_attribute]
 #   (string) LDAP group attribute for LDAP group
@@ -79,6 +79,7 @@
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
   Optional[String] $ldap_require_group      = undef,
+  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
   Optional[String] $ldap_group_attribute    = undef,
 ) inherits ::puppetboard::params {
 
diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp
index dbf23190..7c55aeef 100644
--- a/manifests/apache/vhost.pp
+++ b/manifests/apache/vhost.pp
@@ -73,8 +73,8 @@
 #   No default ($::puppetboard::params::ldap_bind_authoritative)
 #
 # [*ldap_require_group]
-#   (string) LDAP group to require on login
-#   No default ($::puppetboard::params::ldap_require_group)
+#   (bool) LDAP group to require on login
+#   Default to False ($::puppetboard::params::ldap_require_group)
 #
 # [*ldap_group_attribute]
 #   (string) LDAP group attribute for LDAP group
@@ -97,6 +97,7 @@
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
   Optional[String] $ldap_require_group      = undef,
+  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
   Optional[String] $ldap_group_attribute    = undef,
   Hash $custom_apache_parameters            = {},
 ) inherits ::puppetboard::params {

From eaf8f18c8e5fe6b420246a14e801b7f597e23abc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 14:22:03 +0100
Subject: [PATCH 06/13] set ldap_require_group default to false

---
 manifests/params.pp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/manifests/params.pp b/manifests/params.pp
index cee39cd0..c8386d97 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -59,4 +59,5 @@
   $default_environment = 'production'
   $extra_settings = {}
   $enable_ldap_auth = false
+  $ldap_require_group = false
 }

From 947a3a205c844335c655948ce0a8fa0184afa0c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 14:27:58 +0100
Subject: [PATCH 07/13] remove duplicate ldap_require_group declaration

---
 manifests/apache/conf.pp  | 1 -
 manifests/apache/vhost.pp | 1 -
 2 files changed, 2 deletions(-)

diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp
index e8f2fd41..46694e0a 100644
--- a/manifests/apache/conf.pp
+++ b/manifests/apache/conf.pp
@@ -78,7 +78,6 @@
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
-  Optional[String] $ldap_require_group      = undef,
   Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
   Optional[String] $ldap_group_attribute    = undef,
 ) inherits ::puppetboard::params {
diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp
index 7c55aeef..89ff6a02 100644
--- a/manifests/apache/vhost.pp
+++ b/manifests/apache/vhost.pp
@@ -96,7 +96,6 @@
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
-  Optional[String] $ldap_require_group      = undef,
   Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
   Optional[String] $ldap_group_attribute    = undef,
   Hash $custom_apache_parameters            = {},

From 9fd0092eb695636d239c5cae452345ee1277204a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 14:47:43 +0100
Subject: [PATCH 08/13] fix templates

---
 templates/apache/conf.erb | 8 ++++----
 templates/apache/ldap.erb | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/templates/apache/conf.erb b/templates/apache/conf.erb
index 792ffb43..a6c78c11 100644
--- a/templates/apache/conf.erb
+++ b/templates/apache/conf.erb
@@ -32,11 +32,11 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
-   <% if @ldap_require_group != false %>
-   <% if @ldap_group_attribute %>
-   AuthLDAPGroupAttribute <%= @ldap_group_attribute -%>
+   <% if @ldap_require_group -%>
+   <% if @ldap_group_attribute -%>
+   AuthLDAPGroupAttribute "<%= @ldap_group_attribute -%>"
    <% end %>
-   Require ldap-group <%= @ldap_require_group -%>
+   Require ldap-group "<%= @ldap_require_group -%>"
    <% else %>
    Require valid-user
    <% end %>
diff --git a/templates/apache/ldap.erb b/templates/apache/ldap.erb
index 948f7d51..645f7331 100644
--- a/templates/apache/ldap.erb
+++ b/templates/apache/ldap.erb
@@ -17,11 +17,11 @@
    <%- if @ldap_bind_authoritative -%>
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
-   <% if @ldap_require_group != false %>
-   <% if @ldap_group_attribute %>
-   AuthLDAPGroupAttribute <%= @ldap_group_attribute -%>
+   <% if @ldap_require_group -%>
+   <% if @ldap_group_attribute -%>
+   AuthLDAPGroupAttribute "<%= @ldap_group_attribute -%>"
    <% end %>
-   Require ldap-group <%= @ldap_require_group -%>
+   Require ldap-group "<%= @ldap_require_group -%>"
    <% else %>
    Require valid-user
    <% end %>

From 4969327c017892bfd0c0b0c81ff9114664a00fd7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 15:05:11 +0100
Subject: [PATCH 09/13] AuthLDAPGroupAttribute is not needed & set correctly
 ldap_require_group_dn

---
 templates/apache/conf.erb | 5 +----
 templates/apache/ldap.erb | 5 +----
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/templates/apache/conf.erb b/templates/apache/conf.erb
index a6c78c11..427f1431 100644
--- a/templates/apache/conf.erb
+++ b/templates/apache/conf.erb
@@ -33,10 +33,7 @@ WSGIScriptAlias <%= @wsgi_alias -%> <%= @docroot -%>/wsgi.py
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
    <% if @ldap_require_group -%>
-   <% if @ldap_group_attribute -%>
-   AuthLDAPGroupAttribute "<%= @ldap_group_attribute -%>"
-   <% end %>
-   Require ldap-group "<%= @ldap_require_group -%>"
+   Require ldap-group "<%= @ldap_require_group_dn -%>"
    <% else %>
    Require valid-user
    <% end %>
diff --git a/templates/apache/ldap.erb b/templates/apache/ldap.erb
index 645f7331..7c8ed22b 100644
--- a/templates/apache/ldap.erb
+++ b/templates/apache/ldap.erb
@@ -18,10 +18,7 @@
    AuthLDAPBindAuthoritative <%= @ldap_bind_authoritative -%>
    <%- end -%>
    <% if @ldap_require_group -%>
-   <% if @ldap_group_attribute -%>
-   AuthLDAPGroupAttribute "<%= @ldap_group_attribute -%>"
-   <% end %>
-   Require ldap-group "<%= @ldap_require_group -%>"
+   Require ldap-group "<%= ldap_require_group_dn -%>"
    <% else %>
    Require valid-user
    <% end %>

From f6ec045e3c2f74946383037f03e8856195175d14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 15:07:09 +0100
Subject: [PATCH 10/13] remove  and decalare

---
 manifests/apache/conf.pp  | 8 ++++----
 manifests/apache/vhost.pp | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp
index 46694e0a..6a043641 100644
--- a/manifests/apache/conf.pp
+++ b/manifests/apache/conf.pp
@@ -55,9 +55,9 @@
 #   (bool) LDAP group to require on login
 #   Default to False ($::puppetboard::params::ldap_require_group)
 #
-# [*ldap_group_attribute]
-#   (string) LDAP group attribute for LDAP group
-#   No default ($::puppetboard::params::ldap_group_attribute)
+# [*$ldap_require_group_dn]
+#   (string) LDAP group DN for LDAP group
+#   No default
 #
 # === Notes:
 #
@@ -79,7 +79,7 @@
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
   Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
-  Optional[String] $ldap_group_attribute    = undef,
+  Optional[String] $ldap_require_group_dn   = undef,
 ) inherits ::puppetboard::params {
 
   $docroot = "${basedir}/puppetboard"
diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp
index 89ff6a02..1960b291 100644
--- a/manifests/apache/vhost.pp
+++ b/manifests/apache/vhost.pp
@@ -76,9 +76,9 @@
 #   (bool) LDAP group to require on login
 #   Default to False ($::puppetboard::params::ldap_require_group)
 #
-# [*ldap_group_attribute]
-#   (string) LDAP group attribute for LDAP group
-#   No default ($::puppetboard::params::ldap_group_attribute)
+# [*$ldap_require_group_dn]
+#   (string) LDAP group DN for LDAP group
+#   No default
 class puppetboard::apache::vhost (
   String $vhost_name,
   String $wsgi_alias                        = '/',
@@ -97,7 +97,7 @@
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
   Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
-  Optional[String] $ldap_group_attribute    = undef,
+  Optional[String] $ldap_require_group_dn   = undef,
   Hash $custom_apache_parameters            = {},
 ) inherits ::puppetboard::params {
 

From 5221e39a9dd5b271c93d46d31069924fe0b9812c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20WENSKE?=
 <swenske@DESKTOP-O9S6G1S.of1par.int.rtblw.com>
Date: Mon, 29 Oct 2018 15:19:26 +0100
Subject: [PATCH 11/13] fix tests

---
 spec/acceptance/class_spec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index 3ad93605..ad1ea142 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -127,7 +127,7 @@ class { 'puppetboard::apache::conf':
         ldap_bind_password => 'password',
         ldap_url     => 'ldap://puppet.example.com',
         ldap_require_group => true,
-        ldap_group_attribute => 'cn=admins=cn=groups,dc=puppet,dc=example,dc=com',
+        ldap_require_group_dn => 'cn=admins,=cn=groups,dc=puppet,dc=example,dc=com',
       }
       EOS
 
@@ -140,7 +140,7 @@ class { 'puppetboard::apache::conf':
       it { is_expected.to contain 'AuthBasicProvider ldap' }
       it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
       it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
-      it { is_expected.to contain 'Require ldap-group "cn=admins=cn=groups,dc=puppet,dc=example,dc=com"' }
+      it { is_expected.to contain 'Require ldap-group "cn=admins,=cn=groups,dc=puppet,dc=example,dc=com"' }
     end
     describe file('/srv/puppetboard/puppetboard/settings.py') do
       it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }

From 3f6b7448c5047fa5fc78c3a432458f6e13fdc422 Mon Sep 17 00:00:00 2001
From: swenske <sebastien@wenske.fr>
Date: Wed, 12 Dec 2018 14:35:44 +0100
Subject: [PATCH 12/13] leave the existing context, and add a new one, testing
 this specifically

---
 spec/acceptance/class_spec.rb | 42 +++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb
index ad1ea142..41aa3c70 100644
--- a/spec/acceptance/class_spec.rb
+++ b/spec/acceptance/class_spec.rb
@@ -104,6 +104,48 @@ class { 'puppetboard':
   end
 
   context 'LDAP auth' do
+    it 'works with no errors' do
+      pp = <<-EOS
+      if $facts['os']['family'] == 'RedHat' {
+        include epel
+      }
+      # Configure Apache on this server
+      class { 'apache': }
+      class { 'apache::mod::wsgi': }
+      class { 'apache::mod::authnz_ldap': }
+      -> class { 'puppetboard':
+        manage_virtualenv => true,
+        puppetdb_host => 'puppet.example.com',
+        puppetdb_port => 8081,
+        puppetdb_key  => "/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem",
+        puppetdb_ssl_verify => true,
+        puppetdb_cert => "/var/lib/puppet/ssl/certs/test.networkninjas.net.pem",
+      }
+      class { 'puppetboard::apache::conf':
+        enable_ldap_auth => true,
+        ldap_bind_dn => 'cn=user,dc=puppet,dc=example,dc=com',
+        ldap_bind_password => 'password',
+        ldap_url     => 'ldap://puppet.example.com',
+      }
+      EOS
+
+      # Run it twice and test for idempotency
+      apply_manifest(pp, catch_failures: true)
+      apply_manifest(pp, catch_failures: true)
+    end
+
+    describe file(apache_conf_file) do
+      it { is_expected.to contain 'AuthBasicProvider ldap' }
+      it { is_expected.to contain 'AuthLDAPBindDN "cn=user,dc=puppet,dc=example,dc=com"' }
+      it { is_expected.to contain 'AuthLDAPURL "ldap://puppet.example.com"' }
+    end
+    describe file('/srv/puppetboard/puppetboard/settings.py') do
+      it { is_expected.to contain "PUPPETDB_KEY = '/var/lib/puppet/ssl/private_keys/test.networkninjas.net.pem'" }
+      it { is_expected.to contain "PUPPETDB_CERT = '/var/lib/puppet/ssl/certs/test.networkninjas.net.pem'" }
+    end
+  end
+
+  context 'AUTH ldap-group' do
     it 'works with no errors' do
       pp = <<-EOS
       if $facts['os']['family'] == 'RedHat' {

From c18563acc149b47ef4e1619c87a3a74c62c0c378 Mon Sep 17 00:00:00 2001
From: swenske <sebastien@wenske.fr>
Date: Wed, 12 Dec 2018 14:37:37 +0100
Subject: [PATCH 13/13] the leading colons are not needed here anymore

---
 manifests/apache/conf.pp  | 10 +++++-----
 manifests/apache/vhost.pp | 12 ++++++------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/manifests/apache/conf.pp b/manifests/apache/conf.pp
index 6a043641..ad353b84 100644
--- a/manifests/apache/conf.pp
+++ b/manifests/apache/conf.pp
@@ -70,15 +70,15 @@
   String $wsgi_alias                        = '/puppetboard',
   Integer $threads                          = 5,
   Integer $max_reqs                         = 0,
-  String $user                              = $::puppetboard::params::user,
-  String $group                             = $::puppetboard::params::group,
-  Stdlib::AbsolutePath $basedir             = $::puppetboard::params::basedir,
-  Boolean $enable_ldap_auth                 = $::puppetboard::params::enable_ldap_auth,
+  String $user                              = $puppetboard::params::user,
+  String $group                             = $puppetboard::params::group,
+  Stdlib::AbsolutePath $basedir             = $puppetboard::params::basedir,
+  Boolean $enable_ldap_auth                 = $puppetboard::params::enable_ldap_auth,
   Optional[String] $ldap_bind_dn            = undef,
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
-  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
+  Boolean $ldap_require_group               = $puppetboard::params::ldap_require_group,
   Optional[String] $ldap_require_group_dn   = undef,
 ) inherits ::puppetboard::params {
 
diff --git a/manifests/apache/vhost.pp b/manifests/apache/vhost.pp
index 1960b291..4ba2b2bb 100644
--- a/manifests/apache/vhost.pp
+++ b/manifests/apache/vhost.pp
@@ -87,16 +87,16 @@
   Optional[Stdlib::AbsolutePath] $ssl_cert  = undef,
   Optional[Stdlib::AbsolutePath] $ssl_key   = undef,
   Integer $threads                          = 5,
-  String $user                              = $::puppetboard::params::user,
-  String $group                             = $::puppetboard::params::group,
-  Stdlib::AbsolutePath $basedir             = $::puppetboard::params::basedir,
-  String $override                          = $::puppetboard::params::apache_override,
-  Boolean $enable_ldap_auth                 = $::puppetboard::params::enable_ldap_auth,
+  String $user                              = $puppetboard::params::user,
+  String $group                             = $puppetboard::params::group,
+  Stdlib::AbsolutePath $basedir             = $puppetboard::params::basedir,
+  String $override                          = $puppetboard::params::apache_override,
+  Boolean $enable_ldap_auth                 = $puppetboard::params::enable_ldap_auth,
   Optional[String] $ldap_bind_dn            = undef,
   Optional[String] $ldap_bind_password      = undef,
   Optional[String] $ldap_url                = undef,
   Optional[String] $ldap_bind_authoritative = undef,
-  Boolean $ldap_require_group               = $::puppetboard::params::ldap_require_group,
+  Boolean $ldap_require_group               = $puppetboard::params::ldap_require_group,
   Optional[String] $ldap_require_group_dn   = undef,
   Hash $custom_apache_parameters            = {},
 ) inherits ::puppetboard::params {