diff --git a/manifests/config.pp b/manifests/config.pp
index 9c8849ce..bce39518 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -191,14 +191,6 @@
         }
       }
 
-      if $foreman::ipa_manage_sssd {
-        service { 'sssd':
-          ensure  => running,
-          enable  => true,
-          require => Package['sssd-dbus'],
-        }
-      }
-
       file { "/etc/pam.d/${foreman::pam_service}":
         ensure  => file,
         owner   => root,
@@ -246,6 +238,12 @@
           changes => $sssd_changes,
           notify  => Service['sssd'],
         }
+
+        service { 'sssd':
+          ensure  => running,
+          enable  => true,
+          require => Package['sssd-dbus'],
+        }
       }
 
       foreman::settings_fragment { 'authorize_login_delegation.yaml':
diff --git a/templates/apache_ipa_authentication.epp b/templates/apache_ipa_authentication.epp
index 30b84552..13189331 100644
--- a/templates/apache_ipa_authentication.epp
+++ b/templates/apache_ipa_authentication.epp
@@ -3,7 +3,7 @@
   Stdlib::Absolutepath $keytab,
   Boolean $gssapi_local_name,
   Boolean $ipa_authentication_api,
--%>
+|-%>
 
 <Location /users/login>
   InterceptFormPAMService <%= $pam_service %>
@@ -42,7 +42,7 @@
 
 <LocationMatch ^/api(/v2)?/users/extlogin/?$>
   SSLRequireSSL
-  <% if $ipa_authentication_api -%>
+  <% if $ipa_authentication_api { -%>
   <If "%{HTTP:Authorization} =~ /^Basic/">
     AuthType Basic
     AuthName "PAM Authentication"
@@ -56,12 +56,12 @@
     GssapiSSLonly On
     GssapiLocalName <%= apache::bool2httpd($gssapi_local_name) %>
   </Else>
-  <% else -%>
+  <% } else { -%>
   AuthType Basic
   AuthName "PAM Authentication"
   AuthBasicProvider PAM
   AuthPAMService <%= $pam_service %>
-  <% end -%>
+  <% } -%>
   require pam-account <%= $pam_service %>
   ErrorDocument 401 '{ "error": "External authentication did not pass." }'
   # The following is needed as a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1020087