diff --git a/manifests/apache.pp b/manifests/apache.pp
index 52b1548..b3c60f0 100644
--- a/manifests/apache.pp
+++ b/manifests/apache.pp
@@ -10,6 +10,21 @@ class etherpad_lite::apache (
$ssl_key_file = '',
$ssl_key_file_contents = '', # If left empty puppet will not create file.
$vhost_name = $::fqdn,
+ # Table containing openid auth details. If undef not enabled
+ # Example dict:
+ # {
+ # banner => "Welcome",
+ # singleIdp => "https://openstackid.org",
+ # trusted => '^https://openstackid.org/.*$',
+ # any_valid_user => false,
+ # users => ['https://openstackid.org/foo',
+ # 'https://openstackid.org/bar'],
+ # }
+ # Note that if you care which users get access set any_valid_user to false
+ # and then provide an explicit list of openids in the users list. Otherwise
+ # set any_valid_user to true and any successfully authenticated user will
+ # get access.
+ $auth_openid = undef,
) {
package { 'ssl-cert':
@@ -40,6 +55,19 @@ class etherpad_lite::apache (
ensure => present,
}
}
+ if ($auth_openid != undef) {
+ if !defined(Package['libapache2-mod-auth-openid']) {
+ package { 'libapache2-mod-auth-openid':
+ ensure => present,
+ }
+ }
+ if !defined(Mod['auth_openid']) {
+ httpd::mod { 'auth_openid':
+ ensure => present,
+ require => Package['libapache2-mod-auth-openid'],
+ }
+ }
+ }
file { '/etc/apache2':
ensure => directory,
diff --git a/templates/etherpadlite.vhost.erb b/templates/etherpadlite.vhost.erb
index c579e43..e20fe09 100644
--- a/templates/etherpadlite.vhost.erb
+++ b/templates/etherpadlite.vhost.erb
@@ -38,6 +38,26 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+ <% if @auth_openid != nil %>
+
+ AuthType OpenID
+ AuthName "<%= @auth_openid['banner'] %>"
+ AuthOpenIDSecureCookie On
+ AuthOpenIDCookieLifespan 3600
+ AuthOpenIDTrustRoot <%= @vhost_name %>
+ AuthOpenIDServerName <%= @vhost_name %>
+ AuthOpenIDSingleIdP <%= @auth_openid['singleIdp'] %>
+ AuthOpenIDTrusted <%= @auth_openid['trusted'] %>
+ <% if @auth_openid['any_valid_user'] %>
+ Require valid-user
+ <% elsif !@auth_openid['users'].empty? %>
+ <% @auth_openid['users'].each do |user| -%>
+ Require user <%= user %>
+ <% end -%>
+ <% end %>
+
+ <% end %>
+
# The following redirects "nice" urls such as https://etherpad.example.org/padname
# to https://etherpad.example.org/p/padname. It was problematic directly