Added in basic auth and no-negotiate options

[btoneill]

Two big options for GSSAPI were not in the module, added them in.

[puppet-community-rangefinder]

apache::vhost is a type

that may have no external impact to Forge modules.

This module is declared in 172 of 578 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[david22swan]

@btoneill This change look's interesting, but in order to get it merged we would need some additional documentation and test coverage.

[raybellis]

Please do merge this - some of the other GSSAPI module's options would also be useful (e.g. `GssapiUseSessions')

[github-actions]

This PR has been marked as stale because it has been open for a while and has had no recent activity. If this PR is still important to you please drop a comment below and we will add this to our backlog to complete. Otherwise, it will be closed in 7 days.

[raybellis]

We still need this, and other GSSAPI options. At the moment I'm having to include the following as custom configs on our servers:

  $custom_gssapi = '
    GssapiBasicAuth On
    GssapiUseSessions On
    Session On
    SessionCookieName ovirt_gssapi_session path=/;httponly;secure
    AuthDBMGroupFile /etc/http.groups
    AuthzDBMType default
    BrowserMatch Windows gssapi-no-negotiate
'

[LukasAud]

Hi @raybellis, sorry for the delay in feedback. We will be moving this back to active PRs and, hopefully, someone on our team can look at this soon.

Meanwhile, as per @david22swan request, could you give us a bit more context on this change? What behaviour are these options responsible for? Are these common options or something more on the specialised area of apache? Any information you can provide will help us make a decision faster. Thank you for your patience.

[raybellis]

These options (except for the two Auth* ones) are likely to be wanted by anyone using Kerberos via Basic Authentication, as opposed to requiring that the client browser pass a Kerberos ticket via GSSAPI.

[david22swan]

@btoneill Hey, sorry for the wait on review.

Anyway while the changes look good to me, aside from one small error I have noted, we would need some additional tests added in order to cover the new variables, the relevant test file being linked below:

• https://github.com/puppetlabs/puppetlabs-apache/blob/main/spec/defines/vhost_spec.rb

In addition while reviewing other apache PRs I found 3 others adding similar functionality to this one, one of which adds basicauth and has been merged in, i.e.:

• mod_auth_gssapi: Add support for GssapiBasicAuth. #2212

Another that adds negotiate_once and has not yet been merged:

• mod_auth_gssapi: Add support for every configuration directive #2214

And a third that adds another 3 variables:

• Allow additional settings for GSSAPI in Vhost #2215

This is just a head's up so that you know to rebase your work and are aware that it may be fulfilled by another PR, depending on if it get's in a merge ready state before your own.

[david22swan]

Small error, but should this not be:

GssapiNegotiateOnce <%= $negotiateonce %>

[david22swan]

@btoneill Hey, sorry but gonna close this PR as another has been merged in that adds the same functionality:
#2214
Thanks for putting in the work though and I hope to see more from you in the future.