Fixes #32947 - Use Apache module variables

manifests/config.pp

@@ -153,14 +153,16 @@
         content => template('foreman/pam_service.erb'),
       }
 
+      $http_keytab = pick($foreman::http_keytab, "${apache::conf_dir}/http.keytab")
+
       exec { 'ipa-getkeytab':
         command => "/bin/echo Get keytab \
           && KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
-          && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['foreman_ipa']['default_server']} -k ${foreman::http_keytab} -p HTTP/${facts['networking']['fqdn']} \
+          && KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['foreman_ipa']['default_server']} -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
           && kdestroy -c KEYRING:session:get-http-service-keytab",
-        creates => $foreman::http_keytab,
+        creates => $http_keytab,
       }
-      -> file { $foreman::http_keytab:
+      -> file { $http_keytab:
         ensure => file,
         owner  => $apache::user,
         mode   => '0600',
@@ -183,7 +185,7 @@
         $sssd = $facts['foreman_sssd']
         $sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
         $sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
-        $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + ['apache', 'root']), ', ')
+        $sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ')
         $sssd_user_attributes = join(unique(pick($sssd['user_attributes'], []) + ['+email', '+firstname', '+lastname']), ', ')
 
         augeas { 'sssd-ifp-extra-attributes':

manifests/init.pp

@@ -133,7 +133,7 @@
 #
 # $oauth_consumer_secret::        OAuth consumer secret
 #
-# $http_keytab::                  Path to keytab to be used for Kerberos authentication on the WebUI
+# $http_keytab::                  Path to keytab to be used for Kerberos authentication on the WebUI. If left empty, it will be automatically determined.
 #
 # $pam_service::                  PAM service used for host-based access control in IPA
 #
@@ -257,7 +257,7 @@
   Optional[String] $initial_organization = $foreman::params::initial_organization,
   Optional[String] $initial_location = $foreman::params::initial_location,
   Boolean $ipa_authentication = $foreman::params::ipa_authentication,
-  Stdlib::Absolutepath $http_keytab = $foreman::params::http_keytab,
+  Optional[Stdlib::Absolutepath] $http_keytab = $foreman::params::http_keytab,
   String $pam_service = $foreman::params::pam_service,
   Boolean $ipa_manage_sssd = $foreman::params::ipa_manage_sssd,
   Boolean $websockets_encrypt = $foreman::params::websockets_encrypt,

manifests/params.pp

@@ -165,7 +165,7 @@
   $initial_location = undef
 
   $ipa_authentication = false
-  $http_keytab = '/etc/httpd/conf/http.keytab'
+  $http_keytab = undef
   $pam_service = 'foreman'
   $ipa_manage_sssd = true
 

spec/classes/foreman_config_ipa_spec.rb

@@ -2,10 +2,12 @@
 
 describe 'foreman' do
   on_supported_os.each do |os, facts|
-    context "on #{os}", if: facts[:osfamily] == 'RedHat' do
+    context "on #{os}" do
       let(:facts) { facts.merge(interfaces: '') }
       let(:params) { { ipa_authentication: true } }
 
+      keytab_path = facts[:osfamily] == 'RedHat' ? '/etc/httpd/conf/http.keytab' : '/etc/apache2/http.keytab'
+
       describe 'without apache' do
         let(:params) { super().merge(apache: false) }
         it { should raise_error(Puppet::Error, /External authentication via IPA can only be enabled when Apache is used/) }
@@ -50,7 +52,7 @@
             should contain_foreman__config__apache__fragment('lookup_identity')
 
             should contain_foreman__config__apache__fragment('auth_gssapi')
-              .with_ssl_content(%r{^\s*GssapiCredStore keytab:/etc/httpd/conf/http.keytab$})
+              .with_ssl_content(%r{^\s*GssapiCredStore keytab:#{keytab_path}$})
               .with_ssl_content(/^\s*require pam-account foreman$/)
           end
 

templates/auth_gssapi.conf.erb

@@ -3,7 +3,7 @@
   SSLRequireSSL
   AuthType GSSAPI
   AuthName "GSSAPI Single Sign On Login"
-  GssapiCredStore keytab:<%= scope.lookupvar('foreman::http_keytab') %>
+  GssapiCredStore keytab:<%= @http_keytab %>
   GssapiSSLonly On
   GssapiLocalName On
   # require valid-user