From 463cffac6e5a0e8cf906fea71ebf5cbc9a31fed3 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 6 Oct 2015 14:00:28 +0100 Subject: [PATCH 01/40] Add parameter for module path which varies between FR2 and FR3 --- manifests/params.pp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/manifests/params.pp b/manifests/params.pp index 42e44421..e70d5ef2 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -36,6 +36,13 @@ default => '/etc/raddb', } + # Default module path + $fr_modulepath = $::freeradius_version ? { + /^2\./ => "${fr_basepath}/modules", + /^3\./ => "${fr_basepath}/mods-enabled", + default => "${fr_basepath}/modules", + } + # Path for FreeRADIUS logs $fr_logpath = $::osfamily ? { 'RedHat' => '/var/log/radius', From 0850a53959ce97b1a97536ab2931ab0971ec826d Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 6 Oct 2015 14:08:08 +0100 Subject: [PATCH 02/40] Use $modulepath to place modules in the right directory on FR3 --- manifests/module.pp | 4 ++-- manifests/sql.pp | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/module.pp b/manifests/module.pp index 2eab90ec..821a70d5 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -6,10 +6,10 @@ ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath + $fr_modulepath = $::freeradius::params::fr_modulepath $fr_group = $::freeradius::params::fr_group - file { "${fr_basepath}/modules/${name}": + file { "${fr_modulepath}/${name}": ensure => $ensure, mode => '0640', owner => 'root', diff --git a/manifests/sql.pp b/manifests/sql.pp index 0232c3c3..7788c03d 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -76,7 +76,7 @@ } # Generate a module config, based on sql.conf - file { "${fr_basepath}/modules/${name}": + file { "${fr_modulepath}/${name}": ensure => $ensure, mode => '0640', owner => 'root', From 459e98d1fe5f43fbb4bc14fe3dbbaf526d5fa8c2 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 6 Oct 2015 14:10:13 +0100 Subject: [PATCH 03/40] Fix path reference for logrotate --- manifests/sql.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 7788c03d..9f0ce916 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -32,6 +32,7 @@ $fr_service = $::freeradius::params::fr_service $fr_basepath = $::freeradius::params::fr_basepath $fr_group = $::freeradius::params::fr_group + $fr_logpath = $::freeradius::params::fr_logpath # Validate our inputs # Validate multiple choice options @@ -102,7 +103,7 @@ # Install rotation for sqltrace if we are using it if ($sqltrace == 'yes') { logrotate::rule { 'sqltrace': - path => "{$freeradius::fr_logpath}/${sqltracefile}", + path => "${fr_logpath}/${sqltracefile}", rotate_every => 'week', rotate => 1, create => true, From a400089062bb44148fdd07113deacb3505f999c4 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 6 Oct 2015 14:11:10 +0100 Subject: [PATCH 04/40] Add fr_modulepath param --- manifests/sql.pp | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 9f0ce916..e4b21e68 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -28,11 +28,12 @@ $port = '3306', $readclients = 'no', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath - $fr_group = $::freeradius::params::fr_group - $fr_logpath = $::freeradius::params::fr_logpath + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_basepath = $::freeradius::params::fr_basepath + $fr_modulepath = $::freeradius::params::fr_modulepath + $fr_group = $::freeradius::params::fr_group + $fr_logpath = $::freeradius::params::fr_logpath # Validate our inputs # Validate multiple choice options From 2d8c0c3acd1b5e9b19dc157b3bf4c456196912ae Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 6 Oct 2015 15:09:42 +0100 Subject: [PATCH 05/40] Template name of SQL query file --- manifests/sql.pp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index e4b21e68..583877ff 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -89,8 +89,13 @@ } # Install custom query file + $queryfile = $::freeradius_version ? { + /^2\./ => "${fr_basepath}/sql/${database}/dialup.conf", + /^3\./ => "${fr_basepath}/sql/queries.conf", + default => "${fr_basepath}/sql/queries.conf", + } if ($custom_query_file) { - file { "${fr_basepath}/sql/${database}/dialup.conf": + file { $queryfile: ensure => $ensure, mode => '0640', owner => 'root', From c4a3c468da702ff91d838e91832ff2346e5f3d52 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 7 Oct 2015 15:24:27 +0100 Subject: [PATCH 06/40] Update modulepath to use new variable --- templates/radiusd.conf.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb index 41b69486..7607f700 100644 --- a/templates/radiusd.conf.erb +++ b/templates/radiusd.conf.erb @@ -740,6 +740,7 @@ modules { # authenticate, accounting, pre/post-proxy, etc. # $INCLUDE ${confdir}/modules/ + $INCLUDE <%= @fr_modulepath %> # Extensible Authentication Protocol # From 6a8cba59fedfa665f9e051b932825972bfe1648c Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 7 Oct 2015 15:50:21 +0100 Subject: [PATCH 07/40] Remove accidentally duplicated line --- templates/radiusd.conf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb index 7607f700..848218df 100644 --- a/templates/radiusd.conf.erb +++ b/templates/radiusd.conf.erb @@ -739,7 +739,6 @@ modules { # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # - $INCLUDE ${confdir}/modules/ $INCLUDE <%= @fr_modulepath %> # Extensible Authentication Protocol From f06133ea4e0c4ce75bc7bf7bf5c6af7ab51a52a0 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 7 Oct 2015 16:21:33 +0100 Subject: [PATCH 08/40] Add fact for FreeRADIUS major version --- lib/facter/freeradius_maj_version.rb | 9 +++++++++ templates/{radiusd.conf.erb => radiusd.conf.fr2.erb} | 0 2 files changed, 9 insertions(+) create mode 100644 lib/facter/freeradius_maj_version.rb rename templates/{radiusd.conf.erb => radiusd.conf.fr2.erb} (100%) diff --git a/lib/facter/freeradius_maj_version.rb b/lib/facter/freeradius_maj_version.rb new file mode 100644 index 00000000..9619ae30 --- /dev/null +++ b/lib/facter/freeradius_maj_version.rb @@ -0,0 +1,9 @@ +# Grab the FreeRADIUS version from the output of radiusd -v +if %x{which radiusd 2>/dev/null | wc -l}.chomp.to_i > 0 + Facter.add(:freeradius_maj_version) do + setcode do + Facter::Core::Execution.exec('radiusd -v').split(/\n/)[0].match(/FreeRADIUS Version (\d)\.\d\.\d/)[1] + end + end +end + diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.fr2.erb similarity index 100% rename from templates/radiusd.conf.erb rename to templates/radiusd.conf.fr2.erb From 7828887b8c97081261773613715258db4a346ad2 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 8 Oct 2015 11:04:53 +0100 Subject: [PATCH 09/40] Add template for FR3 --- manifests/init.pp | 2 +- templates/radiusd.conf.fr3.erb | 763 +++++++++++++++++++++++++++++++++ 2 files changed, 764 insertions(+), 1 deletion(-) create mode 100644 templates/radiusd.conf.fr3.erb diff --git a/manifests/init.pp b/manifests/init.pp index 3d60d2df..d57fedda 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,7 +21,7 @@ mode => '0640', owner => 'root', group => $freeradius::fr_group, - content => template('freeradius/radiusd.conf.erb'), + content => template("freeradius/radiusd.conf.fr${::freeradius_maj_version}.erb"), require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], notify => Service[$freeradius::fr_service], } diff --git a/templates/radiusd.conf.fr3.erb b/templates/radiusd.conf.fr3.erb new file mode 100644 index 00000000..afae55ce --- /dev/null +++ b/templates/radiusd.conf.fr3.erb @@ -0,0 +1,763 @@ +# -*- text -*- +## +## radiusd.conf -- FreeRADIUS server configuration file - 3.0.4 +## +## http://www.freeradius.org/ +## $Id: 307ae108f579b9c339e6ba819387ff7ad8baff87 $ +## + +###################################################################### +# +# Read "man radiusd" before editing this file. See the section +# titled DEBUGGING. It outlines a method where you can quickly +# obtain the configuration you want, without running into +# trouble. +# +# Run the server in debugging mode, and READ the output. +# +# $ radiusd -X +# +# We cannot emphasize this point strongly enough. The vast +# majority of problems can be solved by carefully reading the +# debugging output, which includes warnings about common issues, +# and suggestions for how they may be fixed. +# +# There may be a lot of output, but look carefully for words like: +# "warning", "error", "reject", or "failure". The messages there +# will usually be enough to guide you to a solution. +# +# If you are going to ask a question on the mailing list, then +# explain what you are trying to do, and include the output from +# debugging mode (radiusd -X). Failure to do so means that all +# of the responses to your question will be people telling you +# to "post the output of radiusd -X". + +###################################################################### +# +# The location of other config files and logfiles are declared +# in this file. +# +# Also general configuration for modules can be done in this +# file, it is exported through the API to modules that ask for +# it. +# +# See "man radiusd.conf" for documentation on the format of this +# file. Note that the individual configuration items are NOT +# documented in that "man" page. They are only documented here, +# in the comments. +# +# The "unlang" policy language can be used to create complex +# if / else policies. See "man unlang" for details. +# + +prefix = /usr +exec_prefix = /usr +sysconfdir = /etc +localstatedir = /var +sbindir = /usr/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +modconfdir = ${confdir}/mods-config +certdir = ${confdir}/certs +cadir = ${confdir}/certs +run_dir = ${localstatedir}/run/${name} + +db_dir = ${localstatedir}/lib/radiusd + +# +# libdir: Where to find the rlm_* modules. +# +# This should be automatically set at configuration time. +# +# If the server builds and installs, but fails at execution time +# with an 'undefined symbol' error, then you can use the libdir +# directive to work around the problem. +# +# The cause is usually that a library has been installed on your +# system in a place where the dynamic linker CANNOT find it. When +# executing as root (or another user), your personal environment MAY +# be set up to allow the dynamic linker to find the library. When +# executing as a daemon, FreeRADIUS MAY NOT have the same +# personalized configuration. +# +# To work around the problem, find out which library contains that symbol, +# and add the directory containing that library to the end of 'libdir', +# with a colon separating the directory names. NO spaces are allowed. +# +# e.g. libdir = /usr/local/lib:/opt/package/lib +# +# You can also try setting the LD_LIBRARY_PATH environment variable +# in a script which starts the server. +# +# If that does not work, then you can re-configure and re-build the +# server to NOT use shared libraries, via: +# +# ./configure --disable-shared +# make +# make install +# +libdir = /usr/lib64/freeradius + +# pidfile: Where to place the PID of the RADIUS server. +# +# The server may be signalled while it's running by using this +# file. +# +# This file is written when ONLY running in daemon mode. +# +# e.g.: kill -HUP `cat /var/run/radiusd/radiusd.pid` +# +pidfile = ${run_dir}/${name}.pid + +# panic_action: Command to execute if the server dies unexpectedly. +# +# FOR PRODUCTION SYSTEMS, ACTIONS SHOULD ALWAYS EXIT. +# AN INTERACTIVE ACTION MEANS THE SERVER IS NOT RESPONDING TO REQUESTS. +# AN INTERACTICE ACTION MEANS THE SERVER WILL NOT RESTART. +# +# THE SERVER MUST NOT BE ALLOWED EXECUTE UNTRUSTED PANIC ACTION CODE +# PATTACH CAN BE USED AS AN ATTACK VECTOR. +# +# The panic action is a command which will be executed if the server +# receives a fatal, non user generated signal, i.e. SIGSEGV, SIGBUS, +# SIGABRT or SIGFPE. +# +# This can be used to start an interactive debugging session so +# that information regarding the current state of the server can +# be acquired. +# +# The following string substitutions are available: +# - %e The currently executing program e.g. /sbin/radiusd +# - %p The PID of the currently executing program e.g. 12345 +# +# Standard ${} substitutions are also allowed. +# +# An example panic action for opening an interactive session in GDB would be: +# +#panic_action = "gdb %e %p" +# +# Again, don't use that on a production system. +# +# An example panic action for opening an automated session in GDB would be: +# +#panic_action = "gdb -silent -x ${raddbdir}/panic.gdb %e %p 2>&1 | tee ${logdir}/gdb-${name}-%p.log" +# +# That command can be used on a production system. +# + +# max_request_time: The maximum time (in seconds) to handle a request. +# +# Requests which take more time than this to process may be killed, and +# a REJECT message is returned. +# +# WARNING: If you notice that requests take a long time to be handled, +# then this MAY INDICATE a bug in the server, in one of the modules +# used to handle a request, OR in your local configuration. +# +# This problem is most often seen when using an SQL database. If it takes +# more than a second or two to receive an answer from the SQL database, +# then it probably means that you haven't indexed the database. See your +# SQL server documentation for more information. +# +# Useful range of values: 5 to 120 +# +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +# a reply which was sent to the NAS. +# +# The RADIUS request is normally cached internally for a short period +# of time, after the reply is sent to the NAS. The reply packet may be +# lost in the network, and the NAS will not see it. The NAS will then +# re-send the request, and the server will respond quickly with the +# cached reply. +# +# If this value is set too low, then duplicate requests from the NAS +# MAY NOT be detected, and will instead be handled as separate requests. +# +# If this value is set too high, then the server will cache too many +# requests, and some new requests may get blocked. (See 'max_requests'.) +# +# Useful range of values: 2 to 10 +# +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +# track of. This should be 256 multiplied by the number of clients. +# e.g. With 4 clients, this number should be 1024. +# +# If this number is too low, then when the server becomes busy, +# it will not respond to any new requests, until the 'cleanup_delay' +# time has passed, and it has removed the old requests. +# +# If this number is set too high, then the server will use a bit more +# memory for no real benefit. +# +# If you aren't sure what it should be set to, it's better to set it +# too high than too low. Setting it to 1000 per client is probably +# the highest it should be. +# +# Useful range of values: 256 to infinity +# +max_requests = 1024 + +# hostname_lookups: Log the names of clients or just their IP addresses +# e.g., www.freeradius.org (on) or 206.47.27.232 (off). +# +# The default is 'off' because it would be overall better for the net +# if people had to knowingly turn this feature on, since enabling it +# means that each client request will result in AT LEAST one lookup +# request to the nameserver. Enabling hostname_lookups will also +# mean that your server may stop randomly for 30 seconds from time +# to time, if the DNS requests take too long. +# +# Turning hostname lookups off also means that the server won't block +# for 30 seconds, if it sees an IP address which has no name associated +# with it. +# +# allowed values: {no, yes} +# +hostname_lookups = no + +# +# Logging section. The various "log_*" configuration items +# will eventually be moved here. +# +log { + # + # Destination for log messages. This can be one of: + # + # files - log to "file", as defined below. + # syslog - to syslog (see also the "syslog_facility", below. + # stdout - standard output + # stderr - standard error. + # + # The command-line option "-X" over-rides this option, and forces + # logging to go to stdout. + # + destination = files + + # + # Highlight important messages sent to stderr and stdout. + # + # Option will be ignored (disabled) if output if TERM is not + # an xterm or output is not to a TTY. + # + colourise = yes + + # + # The logging messages for the server are appended to the + # tail of this file if destination == "files" + # + # If the server is running in debugging mode, this file is + # NOT used. + # + file = ${logdir}/radius.log + + # + # If this configuration parameter is set, then log messages for + # a *request* go to this file, rather than to radius.log. + # + # i.e. This is a log file per request, once the server has accepted + # the request as being from a valid client. Messages that are + # not associated with a request still go to radius.log. + # + # Not all log messages in the server core have been updated to use + # this new internal API. As a result, some messages will still + # go to radius.log. Please submit patches to fix this behavior. + # + # The file name is expanded dynamically. You should ONLY user + # server-side attributes for the filename (e.g. things you control). + # Using this feature MAY also slow down the server substantially, + # especially if you do thinks like SQL calls as part of the + # expansion of the filename. + # + # The name of the log file should use attributes that don't change + # over the lifetime of a request, such as User-Name, + # Virtual-Server or Packet-Src-IP-Address. Otherwise, the log + # messages will be distributed over multiple files. + # + # Logging can be enabled for an individual request by a special + # dynamic expansion macro: %{debug: 1}, where the debug level + # for this request is set to '1' (or 2, 3, etc.). e.g. + # + # ... + # update control { + # Tmp-String-0 = "%{debug:1}" + # } + # ... + # + # The attribute that the value is assigned to is unimportant, + # and should be a "throw-away" attribute with no side effects. + # + #requests = ${logdir}/radiusd-%{%{Virtual-Server}:-DEFAULT}-%Y%m%d.log + + # + # Which syslog facility to use, if ${destination} == "syslog" + # + # The exact values permitted here are OS-dependent. You probably + # don't want to change this. + # + syslog_facility = daemon + + # Log the full User-Name attribute, as it was found in the request. + # + # allowed values: {no, yes} + # + stripped_names = no + + # Log authentication requests to the log file. + # + # allowed values: {no, yes} + # + auth = no + + # Log passwords with the authentication requests. + # auth_badpass - logs password if it's rejected + # auth_goodpass - logs password if it's correct + # + # allowed values: {no, yes} + # + auth_badpass = no + auth_goodpass = no + + # Log additional text at the end of the "Login OK" messages. + # for these to work, the "auth" and "auth_goodpass" or "auth_badpass" + # configurations above have to be set to "yes". + # + # The strings below are dynamically expanded, which means that + # you can put anything you want in them. However, note that + # this expansion can be slow, and can negatively impact server + # performance. + # +# msg_goodpass = "" +# msg_badpass = "" + + # The message when the user exceeds the Simultaneous-Use limit. + # + msg_denied = "You are already logged in - access denied" +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# SECURITY CONFIGURATION +# +# There may be multiple methods of attacking on the server. This +# section holds the configuration items which minimize the impact +# of those attacks +# +security { + # chroot: directory where the server does "chroot". + # + # The chroot is done very early in the process of starting + # the server. After the chroot has been performed it + # switches to the "user" listed below (which MUST be + # specified). If "group" is specified, it switches to that + # group, too. Any other groups listed for the specified + # "user" in "/etc/group" are also added as part of this + # process. + # + # The current working directory (chdir / cd) is left + # *outside* of the chroot until all of the modules have been + # initialized. This allows the "raddb" directory to be left + # outside of the chroot. Once the modules have been + # initialized, it does a "chdir" to ${logdir}. This means + # that it should be impossible to break out of the chroot. + # + # If you are worried about security issues related to this + # use of chdir, then simply ensure that the "raddb" directory + # is inside of the chroot, end be sure to do "cd raddb" + # BEFORE starting the server. + # + # If the server is statically linked, then the only files + # that have to exist in the chroot are ${run_dir} and + # ${logdir}. If you do the "cd raddb" as discussed above, + # then the "raddb" directory has to be inside of the chroot + # directory, too. + # +# chroot = /path/to/chroot/directory + + # user/group: The name (or #number) of the user/group to run radiusd as. + # + # If these are commented out, the server will run as the + # user/group that started it. In order to change to a + # different user/group, you MUST be root ( or have root + # privileges ) to start the server. + # + # We STRONGLY recommend that you run the server with as few + # permissions as possible. That is, if you're not using + # shadow passwords, the user and group items below should be + # set to radius'. + # + # NOTE that some kernels refuse to setgid(group) when the + # value of (unsigned)group is above 60000; don't use group + # "nobody" on these systems! + # + # On systems with shadow passwords, you might have to set + # 'group = shadow' for the server to be able to read the + # shadow password file. If you can authenticate users while + # in debug mode, but not in daemon mode, it may be that the + # debugging mode server is running as a user that can read + # the shadow info, and the user listed below can not. + # + # The server will also try to use "initgroups" to read + # /etc/groups. It will join all groups where "user" is a + # member. This can allow for some finer-grained access + # controls. + # + user = radiusd + group = radiusd + + # Core dumps are a bad thing. This should only be set to + # 'yes' if you're debugging a problem with the server. + # + # allowed values: {no, yes} + # + allow_core_dumps = no + + # + # max_attributes: The maximum number of attributes + # permitted in a RADIUS packet. Packets which have MORE + # than this number of attributes in them will be dropped. + # + # If this number is set too low, then no RADIUS packets + # will be accepted. + # + # If this number is set too high, then an attacker may be + # able to send a small number of packets which will cause + # the server to use all available memory on the machine. + # + # Setting this number to 0 means "allow any number of attributes" + max_attributes = 200 + + # + # reject_delay: When sending an Access-Reject, it can be + # delayed for a few seconds. This may help slow down a DoS + # attack. It also helps to slow down people trying to brute-force + # crack a users password. + # + # Setting this number to 0 means "send rejects immediately" + # + # If this number is set higher than 'cleanup_delay', then the + # rejects will be sent at 'cleanup_delay' time, when the request + # is deleted from the internal cache of requests. + # + # Useful ranges: 1 to 5 + reject_delay = 1 + + # + # status_server: Whether or not the server will respond + # to Status-Server requests. + # + # When sent a Status-Server message, the server responds with + # an Access-Accept or Accounting-Response packet. + # + # This is mainly useful for administrators who want to "ping" + # the server, without adding test users, or creating fake + # accounting packets. + # + # It's also useful when a NAS marks a RADIUS server "dead". + # The NAS can periodically "ping" the server with a Status-Server + # packet. If the server responds, it must be alive, and the + # NAS can start using it for real requests. + # + # See also raddb/sites-available/status + # + status_server = yes + + +} + +# PROXY CONFIGURATION +# +# proxy_requests: Turns proxying of RADIUS requests on or off. +# +# The server has proxying turned on by default. If your system is NOT +# set up to proxy requests to another server, then you can turn proxying +# off here. This will save a small amount of resources on the server. +# +# If you have proxying turned off, and your configuration files say +# to proxy a request, then an error message will be logged. +# +# To disable proxying, change the "yes" to "no", and comment the +# $INCLUDE line. +# +# allowed values: {no, yes} +# +proxy_requests = yes +$INCLUDE proxy.conf + + +# CLIENTS CONFIGURATION +# +# Client configuration is defined in "clients.conf". +# + +# The 'clients.conf' file contains all of the information from the old +# 'clients' and 'naslist' configuration files. We recommend that you +# do NOT use 'client's or 'naslist', although they are still +# supported. +# +# Anything listed in 'clients.conf' will take precedence over the +# information from the old-style configuration files. +# +$INCLUDE clients.conf + + +# THREAD POOL CONFIGURATION +# +# The thread pool is a long-lived group of threads which +# take turns (round-robin) handling any incoming requests. +# +# You probably want to have a few spare threads around, +# so that high-load situations can be handled immediately. If you +# don't have any spare threads, then the request handling will +# be delayed while a new thread is created, and added to the pool. +# +# You probably don't want too many spare threads around, +# otherwise they'll be sitting there taking up resources, and +# not doing anything productive. +# +# The numbers given below should be adequate for most situations. +# +thread pool { + # Number of servers to start initially --- should be a reasonable + # ballpark figure. + start_servers = 5 + + # Limit on the total number of servers running. + # + # If this limit is ever reached, clients will be LOCKED OUT, so it + # should NOT BE SET TOO LOW. It is intended mainly as a brake to + # keep a runaway server from taking the system with it as it spirals + # down... + # + # You may find that the server is regularly reaching the + # 'max_servers' number of threads, and that increasing + # 'max_servers' doesn't seem to make much difference. + # + # If this is the case, then the problem is MOST LIKELY that + # your back-end databases are taking too long to respond, and + # are preventing the server from responding in a timely manner. + # + # The solution is NOT do keep increasing the 'max_servers' + # value, but instead to fix the underlying cause of the + # problem: slow database, or 'hostname_lookups=yes'. + # + # For more information, see 'max_request_time', above. + # + max_servers = 32 + + # Server-pool size regulation. Rather than making you guess + # how many servers you need, FreeRADIUS dynamically adapts to + # the load it sees, that is, it tries to maintain enough + # servers to handle the current load, plus a few spare + # servers to handle transient load spikes. + # + # It does this by periodically checking how many servers are + # waiting for a request. If there are fewer than + # min_spare_servers, it creates a new spare. If there are + # more than max_spare_servers, some of the spares die off. + # The default values are probably OK for most sites. + # + min_spare_servers = 3 + max_spare_servers = 10 + + # When the server receives a packet, it places it onto an + # internal queue, where the worker threads (configured above) + # pick it up for processing. The maximum size of that queue + # is given here. + # + # When the queue is full, any new packets will be silently + # discarded. + # + # The most common cause of the queue being full is that the + # server is dependent on a slow database, and it has received + # a large "spike" of traffic. When that happens, there is + # very little you can do other than make sure the server + # receives less traffic, or make sure that the database can + # handle the load. + # +# max_queue_size = 65536 + + # There may be memory leaks or resource allocation problems with + # the server. If so, set this value to 300 or so, so that the + # resources will be cleaned up periodically. + # + # This should only be necessary if there are serious bugs in the + # server which have not yet been fixed. + # + # '0' is a special value meaning 'infinity', or 'the servers never + # exit' + max_requests_per_server = 0 + + # Automatically limit the number of accounting requests. + # This configuration item tracks how many requests per second + # the server can handle. It does this by tracking the + # packets/s received by the server for processing, and + # comparing that to the packets/s handled by the child + # threads. + # + + # If the received PPS is larger than the processed PPS, *and* + # the queue is more than half full, then new accounting + # requests are probabilistically discarded. This lowers the + # number of packets that the server needs to process. Over + # time, the server will "catch up" with the traffic. + # + # Throwing away accounting packets is usually safe and low + # impact. The NAS will retransmit them in a few seconds, or + # even a few minutes. Vendors should read RFC 5080 Section 2.2.1 + # to see how accounting packets should be retransmitted. Using + # any other method is likely to cause network meltdowns. + # + auto_limit_acct = no +} + +###################################################################### +# +# SNMP notifications. Uncomment the following line to enable +# snmptraps. Note that you MUST also configure the full path +# to the "snmptrap" command in the "trigger.conf" file. +# +#$INCLUDE trigger.conf + +# MODULE CONFIGURATION +# +# The names and configuration of each module is located in this section. +# +# After the modules are defined here, they may be referred to by name, +# in other sections of this configuration file. +# +modules { + # + # Each module has a configuration as follows: + # + # name [ instance ] { + # config_item = value + # ... + # } + # + # The 'name' is used to load the 'rlm_name' library + # which implements the functionality of the module. + # + # The 'instance' is optional. To have two different instances + # of a module, it first must be referred to by 'name'. + # The different copies of the module are then created by + # inventing two 'instance' names, e.g. 'instance1' and 'instance2' + # + # The instance names can then be used in later configuration + # INSTEAD of the original 'name'. See the 'radutmp' configuration + # for an example. + # + + # + # As of 3.0, modules are in mods-enabled/. Files matching + # the regex /[a-zA-Z0-9_.]+/ are loaded. The modules are + # initialized ONLY if they are referenced in a processing + # section, such as authorize, authenticate, accounting, + # pre/post-proxy, etc. + # + $INCLUDE mods-enabled/ +} + +# Instantiation +# +# This section orders the loading of the modules. Modules +# listed here will get loaded BEFORE the later sections like +# authorize, authenticate, etc. get examined. +# +# This section is not strictly needed. When a section like +# authorize refers to a module, it's automatically loaded and +# initialized. However, some modules may not be listed in any +# of the following sections, so they can be listed here. +# +# Also, listing modules here ensures that you have control over +# the order in which they are initialized. If one module needs +# something defined by another module, you can list them in order +# here, and ensure that the configuration will be OK. +# +# After the modules listed here have been loaded, all of the modules +# in the "mods-enabled" directory will be loaded. Loading the +# "mods-enabled" directory means that unlike Version 2, you usually +# don't need to list modules here. +# +instantiate { + # + # We list the counter module here so that it registers + # the check_name attribute before any module which sets + # it +# daily + + # subsections here can be thought of as "virtual" modules. + # + # e.g. If you have two redundant SQL servers, and you want to + # use them in the authorize and accounting sections, you could + # place a "redundant" block in each section, containing the + # exact same text. Or, you could uncomment the following + # lines, and list "redundant_sql" in the authorize and + # accounting sections. + # + #redundant redundant_sql { + # sql1 + # sql2 + #} +} + +###################################################################### +# +# Policies are virtual modules, similar to those defined in the +# "instantiate" section above. +# +# Defining a policy in one of the policy.d files means that it can be +# referenced in multiple places as a *name*, rather than as a series of +# conditions to match, and actions to take. +# +# Policies are something like subroutines in a normal language, but +# they cannot be called recursively. They MUST be defined in order. +# If policy A calls policy B, then B MUST be defined before A. +# +###################################################################### +policy { + $INCLUDE policy.d/ +} + +###################################################################### +# +# Load virtual servers. +# +# This next $INCLUDE line loads files in the directory that +# match the regular expression: /[a-zA-Z0-9_.]+/ +# +# It allows you to define new virtual servers simply by placing +# a file into the raddb/sites-enabled/ directory. +# +$INCLUDE sites-enabled/ + +###################################################################### +# +# All of the other configuration sections like "authorize {}", +# "authenticate {}", "accounting {}", have been moved to the +# the file: +# +# raddb/sites-available/default +# +# This is the "default" virtual server that has the same +# configuration as in version 1.0.x and 1.1.x. The default +# installation enables this virtual server. You should +# edit it to create policies for your local site. +# +# For more documentation on virtual servers, see: +# +# raddb/sites-available/README +# +###################################################################### From a8569a4f2b0ee632968461cc5adc69456be43e88 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 8 Oct 2015 11:31:20 +0100 Subject: [PATCH 10/40] Add new param default fr_moduledir --- manifests/params.pp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index e70d5ef2..f4d04c8a 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -36,13 +36,16 @@ default => '/etc/raddb', } - # Default module path - $fr_modulepath = $::freeradius_version ? { - /^2\./ => "${fr_basepath}/modules", - /^3\./ => "${fr_basepath}/mods-enabled", - default => "${fr_basepath}/modules", + # Default module dir + $fr_moduledir = $::freeradius_version ? { + /^2\./ => 'modules', + /^3\./ => 'mods-enabled', + default => 'modules', } + # Default module path + $fr_modulepath = "${fr_basepath}/${fr_moduledir}" + # Path for FreeRADIUS logs $fr_logpath = $::osfamily ? { 'RedHat' => '/var/log/radius', From 6045d72ae7a47dc90cf84b2b30cd5b82af49d1df Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 8 Oct 2015 11:34:57 +0100 Subject: [PATCH 11/40] Add parametrised options to config for FR3 --- templates/radiusd.conf.fr3.erb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/radiusd.conf.fr3.erb b/templates/radiusd.conf.fr3.erb index afae55ce..0a8a394b 100644 --- a/templates/radiusd.conf.fr3.erb +++ b/templates/radiusd.conf.fr3.erb @@ -55,13 +55,13 @@ exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin -logdir = ${localstatedir}/log/radius +logdir = <%= @fr_logpath %> raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # # name of the running server. See also the "-n" command-line option. -name = radiusd +name = <%= @fr_service %> # Location of config and logfiles. confdir = ${raddbdir} @@ -207,7 +207,7 @@ cleanup_delay = 5 # # Useful range of values: 256 to infinity # -max_requests = 1024 +max_requests = <%= @max_requests %> # hostname_lookups: Log the names of clients or just their IP addresses # e.g., www.freeradius.org (on) or 206.47.27.232 (off). @@ -414,8 +414,8 @@ security { # member. This can allow for some finer-grained access # controls. # - user = radiusd - group = radiusd + user = <%= @fr_user%> + group = <%= @fr_group%> # Core dumps are a bad thing. This should only be set to # 'yes' if you're debugging a problem with the server. @@ -555,7 +555,7 @@ thread pool { # # For more information, see 'max_request_time', above. # - max_servers = 32 + max_servers = <%= @max_servers %> # Server-pool size regulation. Rather than making you guess # how many servers you need, FreeRADIUS dynamically adapts to @@ -667,7 +667,7 @@ modules { # section, such as authorize, authenticate, accounting, # pre/post-proxy, etc. # - $INCLUDE mods-enabled/ + $INCLUDE <%= @fr_moduledir %> } # Instantiation From 12812cea92a1ba2083b39ca19fd1caf8543c8c84 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 8 Oct 2015 11:46:33 +0100 Subject: [PATCH 12/40] Trailing slash is necessary --- templates/radiusd.conf.fr3.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/radiusd.conf.fr3.erb b/templates/radiusd.conf.fr3.erb index 0a8a394b..e42fc0ce 100644 --- a/templates/radiusd.conf.fr3.erb +++ b/templates/radiusd.conf.fr3.erb @@ -667,7 +667,7 @@ modules { # section, such as authorize, authenticate, accounting, # pre/post-proxy, etc. # - $INCLUDE <%= @fr_moduledir %> + $INCLUDE <%= @fr_moduledir %>/ } # Instantiation From dc98ae954145447b6c8f94dfde1a426a8c680075 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 15 Oct 2015 15:23:17 +0100 Subject: [PATCH 13/40] Template mod config dir for FR2 and FR3 --- manifests/config.pp | 12 ++++++------ manifests/params.pp | 10 ++++++++++ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 1da88eff..5a12f77c 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -4,19 +4,19 @@ $content = undef, $ensure = present, ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath - $fr_group = $::freeradius::params::fr_group + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_group = $::freeradius::params::fr_group + $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath - file { "${fr_basepath}/conf.d/${name}": + file { "${fr_moduleconfigpath}/${name}": ensure => $ensure, mode => '0640', owner => 'root', group => $fr_group, source => $source, content => $content, - require => [File["${fr_basepath}/conf.d"], Package[$fr_package], Group[$fr_group]], + require => [File[$fr_moduleconfigpath], Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } } diff --git a/manifests/params.pp b/manifests/params.pp index f4d04c8a..9bb2af95 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -46,6 +46,16 @@ # Default module path $fr_modulepath = "${fr_basepath}/${fr_moduledir}" + # Default module config dir + $fr_modconfigdir = $::freeradius_version ? { + /^2\./ => 'conf.d', + /^3\./ => 'mods-config', + default => 'conf.d', + } + + # Default module config path + $fr_moduleconfigpath = "${fr_basepath}/${fr_modconfigdir}" + # Path for FreeRADIUS logs $fr_logpath = $::osfamily ? { 'RedHat' => '/var/log/radius', From eccf9297663d1fa5a4f58aa6145dda82feb48516 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 15 Oct 2015 15:26:15 +0100 Subject: [PATCH 14/40] Can't require mods-config because it isn't managed by Puppet - it comes in the RPM --- manifests/config.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/config.pp b/manifests/config.pp index 5a12f77c..af42f4b2 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -16,7 +16,7 @@ group => $fr_group, source => $source, content => $content, - require => [File[$fr_moduleconfigpath], Package[$fr_package], Group[$fr_group]], + require => [Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } } From 2b6b40727759ec0c03c528813cec044912694410 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 09:34:56 +0100 Subject: [PATCH 15/40] Use moduleconfig to manage query file --- manifests/sql.pp | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 583877ff..b2eaf526 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -88,21 +88,18 @@ notify => Service[$fr_service], } - # Install custom query file + # Determine default location of query file $queryfile = $::freeradius_version ? { /^2\./ => "${fr_basepath}/sql/${database}/dialup.conf", /^3\./ => "${fr_basepath}/sql/queries.conf", default => "${fr_basepath}/sql/queries.conf", } + + # Install custom query file if ($custom_query_file) { - file { $queryfile: - ensure => $ensure, - mode => '0640', - owner => 'root', - group => $fr_group, - source => $custom_query_file, - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], + ::freeradius::config { "${name}-queries.conf": + name => "${fr_moduleconfigpath}/${title}", + source => $custom_query_file, } } From 65b7e276b1d2417f6c7c743ee44b7122de16eadc Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 09:44:30 +0100 Subject: [PATCH 16/40] Update sql template to support custom query file --- templates/sql.conf.erb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/sql.conf.erb b/templates/sql.conf.erb index 1bf644be..4d7aa03c 100644 --- a/templates/sql.conf.erb +++ b/templates/sql.conf.erb @@ -86,5 +86,6 @@ sql <%= @name %> { nas_table = <%= @nas_table %> # Read driver-specific configuration - $INCLUDE <%= @query_file %> + $INCLUDE <%if @custom_query_file %><%= @custom_query_file %><% else %><%= @query_file %><% end %> + } From f337cf78abf371f377be515e1937172041222f71 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 09:52:15 +0100 Subject: [PATCH 17/40] Tighten up conditional --- templates/sql.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sql.conf.erb b/templates/sql.conf.erb index 4d7aa03c..1504393e 100644 --- a/templates/sql.conf.erb +++ b/templates/sql.conf.erb @@ -86,6 +86,6 @@ sql <%= @name %> { nas_table = <%= @nas_table %> # Read driver-specific configuration - $INCLUDE <%if @custom_query_file %><%= @custom_query_file %><% else %><%= @query_file %><% end %> + $INCLUDE <%if @custom_query_file != '' %><%= @custom_query_file %><% else %><%= @query_file %><% end %> } From 26a03aa74fddca1bba79834ec544cdf4d8a42604 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 10:27:13 +0100 Subject: [PATCH 18/40] Fix file paths etc for sql query templates --- manifests/sql.pp | 4 +++- templates/sql.conf.erb | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index b2eaf526..51d429ce 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -97,8 +97,10 @@ # Install custom query file if ($custom_query_file) { + $custom_query_file_path = "${fr_moduleconfigpath}/${title}" + ::freeradius::config { "${name}-queries.conf": - name => "${fr_moduleconfigpath}/${title}", + name => $custom_query_file_path, source => $custom_query_file, } } diff --git a/templates/sql.conf.erb b/templates/sql.conf.erb index 1504393e..35744205 100644 --- a/templates/sql.conf.erb +++ b/templates/sql.conf.erb @@ -86,6 +86,6 @@ sql <%= @name %> { nas_table = <%= @nas_table %> # Read driver-specific configuration - $INCLUDE <%if @custom_query_file != '' %><%= @custom_query_file %><% else %><%= @query_file %><% end %> + $INCLUDE <%if @custom_query_file != '' %><%= @custom_query_file_path %><% else %><%= @query_file %><% end %> } From 05ceaa5697ebc632a779b25ee87e31ce2a74d59e Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 10:35:22 +0100 Subject: [PATCH 19/40] Fix paths --- manifests/sql.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 51d429ce..3feaed19 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -96,8 +96,8 @@ } # Install custom query file - if ($custom_query_file) { - $custom_query_file_path = "${fr_moduleconfigpath}/${title}" + if ($custom_query_file != '') { + $custom_query_file_path = "${fr_moduleconfigpath}/${name}-queries.conf" ::freeradius::config { "${name}-queries.conf": name => $custom_query_file_path, From 1a2789378dfd1dac400b1bacbb42436212133900 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 10:59:21 +0100 Subject: [PATCH 20/40] Dedup data --- manifests/sql.pp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 3feaed19..1a610971 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -99,8 +99,7 @@ if ($custom_query_file != '') { $custom_query_file_path = "${fr_moduleconfigpath}/${name}-queries.conf" - ::freeradius::config { "${name}-queries.conf": - name => $custom_query_file_path, + ::freeradius::config { "$custom_query_file_path": source => $custom_query_file, } } From 2f1b9d5f826995235b0d2c6a6015cd95c806ecfd Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 16 Oct 2015 11:00:25 +0100 Subject: [PATCH 21/40] Change order of file so template variable is defined --- manifests/sql.pp | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 1a610971..dfbfaa84 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -77,17 +77,6 @@ fail('$readclients must be yes or no') } - # Generate a module config, based on sql.conf - file { "${fr_modulepath}/${name}": - ensure => $ensure, - mode => '0640', - owner => 'root', - group => $fr_group, - content => template('freeradius/sql.conf.erb'), - require => [Package[$fr_package], Group[$fr_group]], - notify => Service[$fr_service], - } - # Determine default location of query file $queryfile = $::freeradius_version ? { /^2\./ => "${fr_basepath}/sql/${database}/dialup.conf", @@ -104,6 +93,17 @@ } } + # Generate a module config, based on sql.conf + file { "${fr_modulepath}/${name}": + ensure => $ensure, + mode => '0640', + owner => 'root', + group => $fr_group, + content => template('freeradius/sql.conf.erb'), + require => [Package[$fr_package], Group[$fr_group]], + notify => Service[$fr_service], + } + # Install rotation for sqltrace if we are using it if ($sqltrace == 'yes') { logrotate::rule { 'sqltrace': From 5725ab52c3243d63f135bc828c21d60c4d89c489 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Mon, 19 Oct 2015 15:12:39 +0100 Subject: [PATCH 22/40] Try a different conditional --- templates/sql.conf.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/sql.conf.erb b/templates/sql.conf.erb index 35744205..0ad2f174 100644 --- a/templates/sql.conf.erb +++ b/templates/sql.conf.erb @@ -86,6 +86,6 @@ sql <%= @name %> { nas_table = <%= @nas_table %> # Read driver-specific configuration - $INCLUDE <%if @custom_query_file != '' %><%= @custom_query_file_path %><% else %><%= @query_file %><% end %> + $INCLUDE <% if @custom_query_file_path %><%= @custom_query_file_path %><% else %><%= @query_file %><% end %> } From d3d1874600a3c8547e2590cc6060ed203cea2547 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Mon, 19 Oct 2015 15:26:04 +0100 Subject: [PATCH 23/40] Add extra value from params.pp --- manifests/sql.pp | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index dfbfaa84..7fe23cc3 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -28,12 +28,13 @@ $port = '3306', $readclients = 'no', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath - $fr_modulepath = $::freeradius::params::fr_modulepath - $fr_group = $::freeradius::params::fr_group - $fr_logpath = $::freeradius::params::fr_logpath + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_basepath = $::freeradius::params::fr_basepath + $fr_modulepath = $::freeradius::params::fr_modulepath + $fr_group = $::freeradius::params::fr_group + $fr_logpath = $::freeradius::params::fr_logpath + $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath # Validate our inputs # Validate multiple choice options From bee0b7748501ae84ea80217ea7e42bdd0325b22b Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 20 Oct 2015 14:31:35 +0100 Subject: [PATCH 24/40] More sensible location for custom query files --- manifests/sql.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/sql.pp b/manifests/sql.pp index 7fe23cc3..441306a1 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -89,7 +89,7 @@ if ($custom_query_file != '') { $custom_query_file_path = "${fr_moduleconfigpath}/${name}-queries.conf" - ::freeradius::config { "$custom_query_file_path": + ::freeradius::config { "${name}-queries.conf": source => $custom_query_file, } } From 5a85623a63f63bf5725b02b3165cd5bcb69a9111 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 20 Oct 2015 14:55:49 +0100 Subject: [PATCH 25/40] Don't set content of these modules as the one supplied by the package manager should suffice --- files/modules/always | 42 --------------- files/modules/detail | 89 -------------------------------- files/modules/detail.log | 108 --------------------------------------- manifests/init.pp | 14 ++--- 4 files changed, 5 insertions(+), 248 deletions(-) delete mode 100644 files/modules/always delete mode 100644 files/modules/detail delete mode 100644 files/modules/detail.log diff --git a/files/modules/always b/files/modules/always deleted file mode 100644 index 0dfedc48..00000000 --- a/files/modules/always +++ /dev/null @@ -1,42 +0,0 @@ -###################################################################### -###################################################################### -## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ## -###################################################################### -###################################################################### - - -# -*- text -*- -# -# $Id$ - -# -# The "always" module is here for debugging purposes. Each -# instance simply returns the same result, always, without -# doing anything. -always fail { - rcode = fail -} -always reject { - rcode = reject -} -always noop { - rcode = noop -} -always handled { - rcode = handled -} -always updated { - rcode = updated -} -always notfound { - rcode = notfound -} -always ok { - rcode = ok - simulcount = 0 - mpp = no -} -always accept { - rcode = accept -} - diff --git a/files/modules/detail b/files/modules/detail deleted file mode 100644 index ad7f7216..00000000 --- a/files/modules/detail +++ /dev/null @@ -1,89 +0,0 @@ -###################################################################### -###################################################################### -## THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS! ## -###################################################################### -###################################################################### - -# This is the stock FreeRADIUS 'detail' log. We leave it unaltered -# and instead make further instantiations that inherit from it and -# change parameters if necessary - -# -*- text -*- -# -# $Id$ - -# Write a detailed log of all accounting records received. -# -detail { - # Note that we do NOT use NAS-IP-Address here, as - # that attribute MAY BE from the originating NAS, and - # NOT from the proxy which actually sent us the - # request. - # - # The following line creates a new detail file for - # every radius client (by IP address or hostname). - # In addition, a new detail file is created every - # day, so that the detail file doesn't have to go - # through a 'log rotation' - # - # If your detail files are large, you may also want - # to add a ':%H' (see doc/variables.txt) to the end - # of it, to create a new detail file every hour, e.g.: - # - # ..../detail-%Y%m%d:%H - # - # This will create a new detail file for every hour. - # - # If you are reading detail files via the "listen" section - # (e.g. as in raddb/sites-available/robust-proxy-accounting), - # you MUST use a unique directory for each combination of a - # detail file writer, and reader. That is, there can only - # be ONE "listen" section reading detail files from a - # particular directory. - # - detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/detail.log - - # - # The Unix-style permissions on the 'detail' file. - # - # The detail file often contains secret or private - # information about users. So by keeping the file - # permissions restrictive, we can prevent unwanted - # people from seeing that information. - detailperm = 0640 - - # - # Every entry in the detail file has a header which - # is a timestamp. By default, we use the ctime - # format (see "man ctime" for details). - # - # The header can be customized by editing this - # string. See "doc/variables.txt" for a description - # of what can be put here. - # - header = "%t" - - # - # Uncomment this line if the detail file reader will be - # reading this detail file. - # -# locking = yes - - # - # Log the Packet src/dst IP/port. This is disabled by - # default, as that information isn't used by many people. - # -# log_packet_header = yes - - # - # Certain attributes such as User-Password may be - # "sensitive", so they should not be printed in the - # detail file. This section lists the attributes - # that should be suppressed. - # - # The attributes should be listed one to a line. - # - suppress { - User-Password - } -} diff --git a/files/modules/detail.log b/files/modules/detail.log deleted file mode 100644 index a191852c..00000000 --- a/files/modules/detail.log +++ /dev/null @@ -1,108 +0,0 @@ -# -*- text -*- -# -# $Id$ - -# -# More examples of doing detail logs. - -# -# Many people want to log authentication requests. -# Rather than modifying the server core to print out more -# messages, we can use a different instance of the 'detail' -# module, to log the authentication requests to a file. -# -# You will also need to un-comment the 'auth_log' line -# in the 'authorize' section, below. -# -detail auth_log-for-bsql { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-bsql.log - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - detailperm = 0600 - locking = yes - - # You may also strip out passwords completely - suppress { - User-Password - EAP-Message - Framed-MTU - State - Message-Authenticator - Packet-Type - Proxy-State - Tunnel-Type - Tunnel-Medium-Type - Tunnel-Private-Group-Id - } -} - -detail auth_log { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log - - # This MUST be 0600, otherwise anyone can read - # the users passwords! - detailperm = 0600 - - # You may also strip out passwords completely - suppress { - User-Password - } - - # Log the Packet src/dst IP/port. This is disabled by - # default, as that information isn't used by many people. - log_packet_header = yes -} - -# This is the same as the block above, except it allows passwords -# # to be written to the log file -detail auth_log_password { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log - detailperm = 0600 -} - - -# This module logs authentication reply packets sent -# to a NAS. Both Access-Accept and Access-Reject packets -# are logged. -# -# You will also need to un-comment the 'reply_log' line -# in the 'post-auth' section, below. -# -detail reply_log { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log - - detailperm = 0600 -} - -# -# This module logs packets proxied to a home server. -# -# You will also need to un-comment the 'pre_proxy_log' line -# in the 'pre-proxy' section, below. -# -detail pre_proxy_log { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log - - # - # This MUST be 0600, otherwise anyone can read - # the users passwords! - detailperm = 0600 - - # You may also strip out passwords completely - #suppress { - # User-Password - #} -} - -# -# This module logs response packets from a home server. -# -# You will also need to un-comment the 'post_proxy_log' line -# in the 'post-proxy' section, below. -# -detail post_proxy_log { - detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log - detailperm = 0600 -} diff --git a/manifests/init.pp b/manifests/init.pp index d57fedda..a8607762 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -166,15 +166,11 @@ } # Install a few modules required on all FR installations - freeradius::module { 'always': - source => 'puppet:///modules/freeradius/modules/always', - } - freeradius::module { 'detail': - source => 'puppet:///modules/freeradius/modules/detail', - } - freeradius::module { 'detail.log': - source => 'puppet:///modules/freeradius/modules/detail.log', - } + # No content is specified, so we accept the package manager default + # Defining them here prevents them from being purged + freeradius::module { 'always': } + freeradius::module { 'detail': } + freeradius::module { 'detail.log': } # Syslog rules if $syslog == true { From dd8814c62482233ca2d838e2a3deb3348e5cb102 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 20 Oct 2015 16:29:50 +0100 Subject: [PATCH 26/40] Use different SQL template for FR2 and FR3 --- manifests/sql.pp | 2 +- templates/{sql.conf.erb => sql.conf.fr2.erb} | 0 templates/sql.conf.fr3.erb | 218 +++++++++++++++++++ 3 files changed, 219 insertions(+), 1 deletion(-) rename templates/{sql.conf.erb => sql.conf.fr2.erb} (100%) create mode 100644 templates/sql.conf.fr3.erb diff --git a/manifests/sql.pp b/manifests/sql.pp index 441306a1..e68e643b 100644 --- a/manifests/sql.pp +++ b/manifests/sql.pp @@ -100,7 +100,7 @@ mode => '0640', owner => 'root', group => $fr_group, - content => template('freeradius/sql.conf.erb'), + content => template("freeradius/sql.conf.fr${::freeradius_maj_version}.erb"), require => [Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } diff --git a/templates/sql.conf.erb b/templates/sql.conf.fr2.erb similarity index 100% rename from templates/sql.conf.erb rename to templates/sql.conf.fr2.erb diff --git a/templates/sql.conf.fr3.erb b/templates/sql.conf.fr3.erb new file mode 100644 index 00000000..e95aeb8c --- /dev/null +++ b/templates/sql.conf.fr3.erb @@ -0,0 +1,218 @@ +# -*- text -*- +# +# Configuration for the SQL module +# +# The database schemas and queries are located in subdirectories: +# +# sql//main/schema.sql Schema +# sql//main/queries.conf Authorisation and Accounting queries +# +# Driver specific configuration options are located in sql prefix config files +# +# mods-available/sql_ +# +# Where "driver" is cassandra, db2, firebird, freetds, iodbc, null, mysql +# oracle, postgresql, sqlite, unixodbc. +# +# $Id$ +# +sql <%= @name %> { + # The dialect of SQL you want to use + # + # If you're using rlm_sql_null, then it should be the type of + # database the logged queries are going to be executed against. + dialect = "<%= @database %>" + + # The sub-module to use to execute queries. This should match + # the database you're attempting to connect to. + # + # * rlm_sql_cassandra + # * rlm_sql_db2 + # * rlm_sql_firedbird + # * rlm_sql_freetds (mssql) + # * rlm_sql_iodbc + # * rlm_sql_null (log queries to disk) + # * rlm_sql_mysql + # * rlm_sql_oracle + # * rlm_sql_postgresql + # * rlm_sql_sqlite + # * rlm_sql_unixodbc + # + driver = "rlm_sql_${dialect}" + + # Uncomment to include driver specific configuration file + # (if one exists) + # These config files contain driver specific options. +# $INCLUDE ${modenableddir}/${.:name}_${dialect} + + # Connection info: + # + server = "<%= @server %>" + port = "<%= @port %>" + login = "<%= @login %>" + password = "<%= @password %>" + + # Database table configuration for everything except Oracle + radius_db = "<%= @radius_db %>" + + # If you're using postgresql this can also be used instead of the connection info parameters +# radius_db = "dbname=radius host=localhost user=radius password=raddpass" + # If you're using postgresql this can also be used instead of the connection info parameters +# radius_db = "dbname=radius host=localhost user=radius password=raddpass" + + # Postgreql doesn't take tls{} options in its module config like mysql does - if you want to + # use SSL connections then use this form of connection info parameter +# radius_db = "host=localhost port=5432 dbname=radius user=radius password=raddpass sslmode=verify-full sslcert=/etc/ssl/client.crt sslkey=/etc/ssl/client.key sslrootcert=/etc/ssl/ca.crt" + + # If you want both stop and start records logged to the + # same SQL table, leave this as is. If you want them in + # different tables, put the start table in acct_table1 + # and stop table in acct_table2 + acct_table1 = "<%= @acct_table1 %>" + acct_table2 = "<%= @acct_table2 %>" + + # Allow for storing data after authentication + postauth_table = "<%= @postauth_table %>" + + # Tables containing 'check' items + authcheck_table = "<%= @authcheck_table %>" + groupcheck_table = "<%= @groupcheck_table %>" + + # Tables containing 'reply' items + authreply_table = "<%= @authreply_table %>" + groupreply_table = "<%= @groupreply_table %>" + + # Table to keep group info + usergroup_table = "<%= @usergroup_table %>" + + # If set to 'yes' (default) we read the group tables unless Fall-Through = no in the reply table. + # If set to 'no' we do not read the group tables unless Fall-Through = yes in the reply table. + read_groups = <%= @read_groups %> + + # If set to 'yes' (default) we read profiles unless Fall-Through = no in the groupreply table. + # If set to 'no' we do not read profiles unless Fall-Through = yes in the groupreply table. +# read_profiles = yes + + # Remove stale session if checkrad does not see a double login + delete_stale_sessions = <%= @deletestalesessions %> + + # Write SQL queries to a logfile. This is potentially useful for tracing + # issues with authorization queries. See also "logfile" directives in + # mods-config/sql/main/*/queries.conf. You can enable per-section logging + # by enabling "logfile" there, or global logging by enabling "logfile" here. + # + # Per-section logging can be disabled by setting "logfile = ''" +# logfile = ${logdir}/sqllog.sql + + # Set the maximum query duration for rlm_sql_mysql and + # rlm_sql_cassandra. +# query_timeout = 5 + + # + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + # + # If you want to have multiple SQL modules re-use the same + # connection pool, use "pool = name" instead of a "pool" + # section. e.g. + # + # sql1 { + # ... + # pool { + # ... + # } + # } + # + # # sql2 will use the connection pool from sql1 + # sql2 { + # ... + # pool = sql1 + # } + # + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # database being available. + start = ${thread[pool].start_servers} + + # Minimum number of connections to keep open + min = ${thread[pool].min_spare_servers} + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = ${thread[pool].max_servers} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + spare = ${thread[pool].max_spare_servers} + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = <%= @max_queries %> + + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + retry_delay = <%= @connect_failure_retry_delay %> + + # The lifetime (in seconds) of the connection + lifetime = <%= @lifetime %> + + # idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # Connection timeout (in seconds). The maximum amount of + # time to wait for a new connection to be established. + # Not supported by: + # rlm_sql_firebird - Likely possible but no documentation. + # rlm_sql_oracle - Not possible. + # rlm_sql_postgresql - Should be set via the radius_db string instead. + # + connect_timeout = 3.0 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + } + + # Set to 'yes' to read radius clients from the database ('nas' table) + # Clients will ONLY be read on server startup. + read_clients = <%= @readclients %> + + # Table to keep radius client info + client_table = <%= @nas_table %> + + # The group attribute specific to this instance of rlm_sql + group_attribute = "${.:instance}-${.:name}-Group" + + # Read database-specific queries + # + # Not all drivers ship with query.conf or schema.sql files. + # For those which don't, please create them and contribute + # them back to the project. + $INCLUDE <% if @custom_query_file_path %><%= @custom_query_file_path %><% else %><%= @query_file %><% end %> +} From d515f27232b89eb81942197ab47bd8799721f126 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Wed, 21 Oct 2015 14:22:08 +0100 Subject: [PATCH 27/40] Don't auto include conf.d on FR2 --- templates/radiusd.conf.fr2.erb | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/templates/radiusd.conf.fr2.erb b/templates/radiusd.conf.fr2.erb index 848218df..cc5fa920 100644 --- a/templates/radiusd.conf.fr2.erb +++ b/templates/radiusd.conf.fr2.erb @@ -590,7 +590,6 @@ security { # proxy_requests = yes $INCLUDE proxy.conf -# Proxy config now in conf.d and included automatically # CLIENTS CONFIGURATION @@ -608,10 +607,6 @@ $INCLUDE proxy.conf # $INCLUDE ${confdir}/clients.d/ - -# CONFIG SNIPPETS -$INCLUDE ${confdir}/conf.d/ - # POLICIES #$INCLUDE ${confdir}/policy.d/ @@ -739,7 +734,7 @@ modules { # referenced in a processing section, such as authorize, # authenticate, accounting, pre/post-proxy, etc. # - $INCLUDE <%= @fr_modulepath %> + $INCLUDE <%= @fr_modulepath %>/ # Extensible Authentication Protocol # From 9787f8a997350fa9bc83ade041fcba4996cd85c8 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Fri, 23 Oct 2015 11:16:01 +0100 Subject: [PATCH 28/40] Add support for configuring LDAP natively --- README.md | 88 ++++++ manifests/ldap.pp | 77 ++++++ templates/ldap.fr2.erb | 197 ++++++++++++++ templates/ldap.fr3.erb | 598 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 960 insertions(+) create mode 100644 manifests/ldap.pp create mode 100644 templates/ldap.fr2.erb create mode 100644 templates/ldap.fr3.erb diff --git a/README.md b/README.md index c4927459..14c4a2e4 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ * [`freeradius::config`](#freeradiusconfig) * [`freeradius::dictionary`](#freeradiusdictionary) * [`freeradius::instantiate`](#freeradiusinstantiate) + * [`freeradius::ldap`](#freeradiusldap) * [`freeradius::module`](#freeradiusmodule) * [`freeradius::policy`](#freeradiuspolicy) * [`freeradius::site`](#freeradiussite) @@ -267,6 +268,93 @@ Instantiate a module that is not automatically instantiated. freeradius::instantiate { 'mymodule': } ``` +#### `freeradius::ldap` + +Configure LDAP support for FreeRADIUS + +##### `identity` +LDAP account for searching the directory. Required. + +##### `password` +Password for the `identity` account. Required. + +##### `basedn` +Unless overridden in another section, the dn from which all searches will start from. Required. + +##### `server` +Hostname of IP address of the LDAP server. Note that this needs to match the name(s) in the LDAP server +certificate, if you're using ldaps. Default: `localhost` + +##### `port` +Port to connect to the LDAP server on. Default: `389` + +##### `uses` +How many times the connection can be used before being re-established. This is useful for things +like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0` + +##### `idle` +Sets the idle time before keepalive probes are sent. Default `60` + +This option may not be supported by your LDAP library. If this configuration entry appears in the +output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing. + +##### `probes` +Sets the maximum number of keepalive probes TCP should send before dropping the connection. Default: `3` + +This option may not be supported by your LDAP library. If this configuration entry appears in the +output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing. + +##### `interval` +Setss the interval in seconds between individual keepalive probes. Default: `3` + +This option may not be supported by your LDAP library. If this configuration entry appears in the +output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing. + +##### `timeout` +Number of seconds to wait for LDAP query to finish. Default: `10` + +##### `start` +Connections to create during module instantiation. If the server cannot create specified number of +connections during instantiation it will exit. Set to 0 to allow the server to start without the +directory being available. This option only works with FR3; setting it on FR2 will have no effect. +Default: `${thread[pool].start_servers}` + +##### `min` +Minimum number of connections to keep open. This option only works with FR3; setting it on FR2 will have no effect. +Default: `${thread[pool].min_spare_servers}` + +##### `max` +Maximum number of connections. Default: `${thread[pool].max_servers}` + +##### `spare` +Spare connections to be left idle. This option only works with FR3; setting it on FR2 will have no effect. +Default: `${thread[pool].max_spare_servers}` + +##### `starttls` +Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation. +The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections + +Default: `no` + +##### `cafile` +Path to CA cert file for TLS + +##### `certfile` +Path to cert file for TLS + +##### `keyfile` +Path to key file for TLS + +##### `requirecert` +Certificate Verification requirements. Choose from: +'never' (do not even bother trying) +'allow' (try, but don't fail if the certificate cannot be verified) +'demand' (fail if the certificate does not verify) +'hard' (similar to 'demand' but fails if TLS cannot negotiate) + +Default: `allow` + + #### `freeradius::module` Install a module from a flat file. diff --git a/manifests/ldap.pp b/manifests/ldap.pp new file mode 100644 index 00000000..4d05621e --- /dev/null +++ b/manifests/ldap.pp @@ -0,0 +1,77 @@ +# Configure LDAP support for FreeRADIUS +define freeradius::ldap ( + $identity, + $password, + $basedn, + $server = 'localhost', + $port = 389, + $uses = 0, + $idle = 60, + $probes = 3, + $interval = 3, + $timeout = 10, + $start = '${thread[pool].start_servers}', + $min = '${thread[pool].min_spare_servers}', + $max = '${thread[pool].max_servers}', + $spare = '${thread[pool].max_spare_servers}', + $ensure = 'present', + + $starttls = 'no', + $cafile = '', + $certfile = '', + $keyfile = '', + $requirecert = 'allow', + +) { + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_modulepath = $::freeradius::params::fr_modulepath + $fr_group = $::freeradius::params::fr_group + + # Validate our inputs + # Hostnames + unless (is_domain_name($server) or is_ip_address($server)) { + fail('$server must be a valid hostname or IP address') + } + + # Fake booleans (FR uses yes/no instead of true/false) + unless $starttls in ['yes', 'no'] { + fail('$starttls must be yes or no') + } + + # Validate multiple choice options + unless $requirecert in ['never', 'allow', 'demand', 'hard'] { + fail('$requirecert must be one of never, allow, demand, hard') + } + + # Validate integers + unless is_integer($port) { + fail('$port must be an integer') + } + unless is_integer($uses) { + fail('$uses must be an integer') + } + unless is_integer($idle) { + fail('$idle must be an integer') + } + unless is_integer($probes) { + fail('$probes must be an integer') + } + unless is_integer($interval) { + fail('$interval must be an integer') + } + unless is_integer($timeout) { + fail('$timeout must be an integer') + } + + # Generate a module config, based on ldap.conf + file { "${fr_modulepath}/${name}": + ensure => $ensure, + mode => '0640', + owner => 'root', + group => $fr_group, + content => template("freeradius/ldap.fr${::freeradius_maj_version}.erb"), + require => [Package[$fr_package], Group[$fr_group]], + notify => Service[$fr_service], + } +} diff --git a/templates/ldap.fr2.erb b/templates/ldap.fr2.erb new file mode 100644 index 00000000..6e2d4baa --- /dev/null +++ b/templates/ldap.fr2.erb @@ -0,0 +1,197 @@ +# -*- text -*- +# +# $Id$ + +# Lightweight Directory Access Protocol (LDAP) +# +# This module definition allows you to use LDAP for +# authorization and authentication. +# +# See raddb/sites-available/default for reference to the +# ldap module in the authorize and authenticate sections. +# +# However, LDAP can be used for authentication ONLY when the +# Access-Request packet contains a clear-text User-Password +# attribute. LDAP authentication will NOT work for any other +# authentication method. +# +# This means that LDAP servers don't understand EAP. If you +# force "Auth-Type = LDAP", and then send the server a +# request containing EAP authentication, then authentication +# WILL NOT WORK. +# +# The solution is to use the default configuration, which does +# work. +# +# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We +# really can't emphasize this enough. +# +ldap { + # + # Note that this needs to match the name in the LDAP + # server certificate, if you're using ldaps. + server = "<%= @server %>" + #identity = "<%= @identity %>" + #password = <%= @password %> + basedn = "<%= @basedn %>" + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + #base_filter = "(objectclass=radiusprofile)" + + # How many connections to keep open to the LDAP server. + # This saves time over opening a new LDAP socket for + # every authentication request. + ldap_connections_number = <%= @max %> + + # How many times the connection can be used before + # being re-established. This is useful for things + # like load balancers, which may exhibit sticky + # behaviour without it. (0) is unlimited. + max_uses = <%= @uses %> + + # Port to connect on, defaults to 389. Setting this to + # 636 will enable LDAPS if start_tls (see below) is not + # able to be used. + #port = <%= @port %> + + # seconds to wait for LDAP query to finish. default: 20 + timeout = <%= @timeout %> + + # seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + timelimit = 3 + + # + # seconds to wait for response of the server. (network + # failures) default: 10 + # + # LDAP_OPT_NETWORK_TIMEOUT is set to this value. + net_timeout = 1 + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the "tls_*" configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 636) connections + start_tls = <%= @starttls %> + +<% if @cafile %> cacertfile = <%= @cafile %><% end %> + # cacertdir = /path/to/ca/dir/ +<% if @certfile %> certfile = <%= @certfile %><% end %> +<% if @keyfile %> keyfile = <%= @keyfile %><% end %> + # randfile = /path/to/rnd + + # Certificate Verification requirements. Can be: + # "never" (don't even bother trying) + # "allow" (try, but don't fail if the cerificate + # can't be verified) + # "demand" (fail if the certificate doesn't verify.) + # + # The default is "allow" + require_cert = "<%= @requirecert %>" + } + + # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" + # profile_attribute = "radiusProfileDn" + # access_attr = "dialupAccess" + + # Mapping of RADIUS dictionary attributes to LDAP + # directory attributes. + dictionary_mapping = ${confdir}/ldap.attrmap + + # Set password_attribute = nspmPassword to get the + # user's password from a Novell eDirectory + # backend. This will work ONLY IF FreeRADIUS has been + # built with the --with-edir configure option. + # + # See also the following links: + # + # http://www.novell.com/coolsolutions/appnote/16745.html + # https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html + # + # Novell may require TLS encrypted sessions before returning + # the user's password. + # + # password_attribute = userPassword + + # Un-comment the following to disable Novell + # eDirectory account policy check and intruder + # detection. This will work *only if* FreeRADIUS is + # configured to build with --with-edir option. + # + edir_account_policy_check = no + + # + # Group membership checking. Disabled by default. + # + # groupname_attribute = cn + # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" + # groupmembership_attribute = radiusGroupName + + # compare_check_items = yes + # do_xlat = yes + # access_attr_used_for_allow = yes + + # + # The following two configuration items are for Active Directory + # compatibility. If you see the helpful "operations error" + # being returned to the LDAP module, uncomment the next + # two lines. + # + # chase_referrals = yes + # rebind = yes + + # + # By default, if the packet contains a User-Password, + # and no other module is configured to handle the + # authentication, the LDAP module sets itself to do + # LDAP bind for authentication. + # + # THIS WILL ONLY WORK FOR PAP AUTHENTICATION. + # + # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). + # + # You can disable this behavior by setting the following + # configuration entry to "no". + # + # allowed values: {no, yes} + # set_auth_type = yes + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + #ldap_debug = 0x0028 + + # + # Keepalive configuration. This MAY NOT be supported by your + # LDAP library. If these configuration entries appear in the + # output of "radiusd -X", then they are supported. Otherwise, + # they are unsupported, and changing them will do nothing. + # + keepalive { + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = <%= @idle %> + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = <%= @probes %> + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = <%= @interval %> + } +} diff --git a/templates/ldap.fr3.erb b/templates/ldap.fr3.erb new file mode 100644 index 00000000..c14ef41b --- /dev/null +++ b/templates/ldap.fr3.erb @@ -0,0 +1,598 @@ +# -*- text -*- +# +# $Id$ + +# +# Lightweight Directory Access Protocol (LDAP) +# +ldap { + # Note that this needs to match the name(s) in the LDAP server + # certificate, if you're using ldaps. See OpenLDAP documentation + # for the behavioral semantics of specifying more than one host. + # + # Depending on the libldap in use, server may be an LDAP URI. + # In the case of OpenLDAP this allows additional the following + # additional schemes: + # - ldaps:// (LDAP over SSL) + # - ldapi:// (LDAP over Unix socket) + # - ldapc:// (Connectionless LDAP) + server = '<%= @server %>' +# server = 'ldap.rrdns.example.org' +# server = 'ldap.rrdns.example.org' + + # Port to connect on, defaults to 389, will be ignored for LDAP URIs. +# port = <%= @port %> + + # Administrator account for searching and possibly modifying. + # If using SASL + KRB5 these should be commented out. +# identity = '<%= @identity %>' +# password = mypass + + # Unless overridden in another section, the dn from which all + # searches will start from. + base_dn = '<%= @basedn %>' + + # + # SASL parameters to use for admin binds + # + # When we're prompted by the SASL library, the config items in the SASL + # section (in addition to the identity password config items above) + # determine the responses given. + # + # If any directive is commented out, a NULL response will be + # provided to cyrus-sasl. + # + # Unfortunately the only way to control Keberos here is through + # environmental variables, as cyrus-sasl provides no API to + # set the kerberos (libkrb5) config directly. + # + # Full documentation for MIT krb5 can be found here: + # + # http://web.mit.edu/kerberos/krb5-devel/doc/admin/env_variables.html + # + # At a minimum you probably want to set KRB5_CLIENT_KTNAME. + # + sasl { + # SASL mechanism +# mech = 'PLAIN' + + # SASL authorisation identity to proxy. +# proxy = 'autz_id' + + # SASL realm. Used for kerberos. +# realm = 'example.org' + } + + # + # Generic valuepair attribute + # + + # If set, this will attribute will be retrieved in addition to any + # mapped attributes. + # + # Values should be in the format: + # + # + # Where: + # : Is the attribute you wish to create + # with any valid list and request qualifiers. + # : Is any assignment operator (=, :=, +=, -=). + # : Is the value to parse into the new valuepair. + # If the value is wrapped in double quotes it + # will be xlat expanded. +# valuepair_attribute = 'radiusAttribute' + + # + # Mapping of LDAP directory attributes to RADIUS dictionary attributes. + # + + # WARNING: Although this format is almost identical to the unlang + # update section format, it does *NOT* mean that you can use other + # unlang constructs in module configuration files. + # + # Configuration items are in the format: + # + # + # Where: + # : Is the destination RADIUS attribute + # with any valid list and request qualifiers. + # : Is any assignment attribute (=, :=, +=, -=). + # : Is the attribute associated with user or + # profile objects in the LDAP directory. + # If the attribute name is wrapped in double + # quotes it will be xlat expanded. + # + # Request and list qualifiers may also be placed after the 'update' + # section name to set defaults destination requests/lists + # for unqualified RADIUS attributes. + # + # Note: LDAP attribute names should be single quoted unless you want + # the name value to be derived from an xlat expansion, or an + # attribute ref. + update { + control:Password-With-Header += 'userPassword' +# control:NT-Password := 'ntPassword' +# reply:Reply-Message := 'radiusReplyMessage' +# reply:Tunnel-Type := 'radiusTunnelType' +# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType' +# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId' + + # Where only a list is specified as the RADIUS attribute, + # the value of the LDAP attribute is parsed as a valuepair + # in the same format as the 'valuepair_attribute' (above). + #control: += 'radiusControlAttribute' + #request: += 'radiusRequestAttribute' + #reply: += 'radiusReplyAttribute' + } + + # Set to yes if you have eDirectory and want to use the universal + # password mechanism. +# edir = no + + # Set to yes if you want to bind as the user after retrieving the + # Cleartext-Password. This will consume the login grace, and + # verify user authorization. +# edir_autz = no + + # Note: set_auth_type was removed in v3.x.x + # Equivalent functionality can be achieved by adding the following + # stanza to the authorize {} section of your virtual server. + # + # ldap + # if ((ok || updated) && User-Password) { + # update { + # control:Auth-Type := ldap + # } + # } + + # + # User object identification. + # + user { + # Where to start searching in the tree for users + base_dn = "${..base_dn}" + + # Filter for user objects, should be specific enough + # to identify a single user object. + filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" + + # SASL parameters to use for user binds + # + # When we're prompted by the SASL library, these control + # the responses given. + # + # Any of the config items below may be an attribute ref + # or and expansion. This allows different SASL mechs, + # proxy IDs and realms to be used for different users. + # + sasl { + # SASL mechanism +# mech = 'PLAIN' + + # SASL authorisation identity to proxy. +# proxy = &User-Name + + # SASL realm. Used for kerberos. +# realm = 'example.org' + } + + # Search scope, may be 'base', 'one', sub' or 'children' +# scope = 'sub' + + # Server side result sorting + # + # A list of space delimited attributes to order the result + # set by, if the filter matches multiple objects. + # Only the first result in the set will be processed. + # + # If the attribute name is prefixed with a hyphen '-' the + # sorting order will be reversed for that attribute. + # + # If sort_by is set, and the server does not support sorting + # the search will fail. +# sort_by = '-uid' + + # If this is undefined, anyone is authorised. + # If it is defined, the contents of this attribute + # determine whether or not the user is authorised +# access_attribute = 'dialupAccess' + + # Control whether the presence of 'access_attribute' + # allows access, or denys access. + # + # If 'yes', and the access_attribute is present, or + # 'no' and the access_attribute is absent then access + # will be allowed. + # + # If 'yes', and the access_attribute is absent, or + # 'no' and the access_attribute is present, then + # access will not be allowed. + # + # If the value of the access_attribute is 'false', it + # will negate the result. + # + # e.g. + # access_positive = yes + # access_attribute = userAccessAllowed + # + # With an LDAP object containing: + # userAccessAllowed: false + # + # Will result in the user being locked out. +# access_positive = yes + } + + # + # User membership checking. + # + group { + # Where to start searching in the tree for groups + base_dn = "${..base_dn}" + + # Filter for group objects, should match all available + # group objects a user might be a member of. + filter = '(objectClass=posixGroup)' + + # Search scope, may be 'base', 'one', sub' or 'children' +# scope = 'sub' + + # Attribute that uniquely identifies a group. + # Is used when converting group DNs to group + # names. +# name_attribute = cn + + # Filter to find group objects a user is a member of. + # That is, group objects with attributes that + # identify members (the inverse of membership_attribute). +# membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" + + # The attribute in user objects which contain the names + # or DNs of groups a user is a member of. + # + # Unless a conversion between group name and group DN is + # needed, there's no requirement for the group objects + # referenced to actually exist. + membership_attribute = 'memberOf' + + # If cacheable_name or cacheable_dn are enabled, + # all group information for the user will be + # retrieved from the directory and written to LDAP-Group + # attributes appropriate for the instance of rlm_ldap. + # + # For group comparisons these attributes will be checked + # instead of querying the LDAP directory directly. + # + # This feature is intended to be used with rlm_cache. + # + # If you wish to use this feature, you should enable + # the type that matches the format of your check items + # i.e. if your groups are specified as DNs then enable + # cacheable_dn else enable cacheable_name. +# cacheable_name = 'no' +# cacheable_dn = 'no' + + # Override the normal cache attribute (-LDAP-Group or + # LDAP-Group if using the default instance) and create a + # custom attribute. This can help if multiple module instances + # are used in fail-over. +# cache_attribute = 'LDAP-Cached-Membership' + + # Override the normal group comparison attribute name + # (-LDAP-Group or LDAP-Group if using the default instance) . +# group_attribute = "${.:instance}-${.:name}-Group" + } + + # + # User profiles. RADIUS profile objects contain sets of attributes + # to insert into the request. These attributes are mapped using + # the same mapping scheme applied to user objects (the update section above). + # + profile { + # Filter for RADIUS profile objects +# filter = '(objectclass=radiusprofile)' + + # The default profile. This may be a DN or an attribute + # reference. + # To get old v2.2.x style behaviour, or to use the + # &User-Profile attribute to specify the default profile, + # set this to &control:User-Profile. +# default = 'cn=radprofile,dc=example,dc=org' + + # The LDAP attribute containing profile DNs to apply + # in addition to the default profile above. These are + # retrieved from the user object, at the same time as the + # attributes from the update section, are are applied + # if authorization is successful. +# attribute = 'radiusProfileDn' + } + + # + # Bulk load clients from the directory + # + client { + # Where to start searching in the tree for clients + base_dn = "${..base_dn}" + + # + # Filter to match client objects + # + filter = '(objectClass=radiusClient)' + + # Search scope, may be 'base', 'one', 'sub' or 'children' +# scope = 'sub' + + # + # Sets default values (not obtained from LDAP) for new client entries + # + template { +# login = 'test' +# password = 'test' +# proto = tcp +# require_message_authenticator = yes + + # Uncomment to add a home_server with the same + # attributes as the client. +# coa_server { +# response_window = 2.0 +# } + } + + # + # Client attribute mappings are in the format: + # = + # + # The following attributes are required: + # * ipaddr | ipv4addr | ipv6addr - Client IP Address. + # * secret - RADIUS shared secret. + # + # All other attributes usually supported in a client + # definition are also supported here. + # + # Schemas are available in doc/schemas/ldap for openldap and eDirectory + # + attribute { + ipaddr = 'radiusClientIdentifier' + secret = 'radiusClientSecret' +# shortname = 'radiusClientShortname' +# nas_type = 'radiusClientType' +# virtual_server = 'radiusClientVirtualServer' +# require_message_authenticator = 'radiusClientRequireMa' + } + } + + # Load clients on startup +# read_clients = no + + # + # Modify user object on receiving Accounting-Request + # + + # Useful for recording things like the last time the user logged + # in, or the Acct-Session-ID for CoA/DM. + # + # LDAP modification items are in the format: + # + # + # Where: + # : The LDAP attribute to add modify or delete. + # : One of the assignment operators: + # (:=, +=, -=, ++). + # Note: '=' is *not* supported. + # : The value to add modify or delete. + # + # WARNING: If using the ':=' operator with a multi-valued LDAP + # attribute, all instances of the attribute will be removed and + # replaced with a single attribute. + accounting { + reference = "%{tolower:type.%{Acct-Status-Type}}" + + type { + start { + update { + description := "Online at %S" + } + } + + interim-update { + update { + description := "Last seen at %S" + } + } + + stop { + update { + description := "Offline at %S" + } + } + } + } + + # + # Post-Auth can modify LDAP objects too + # + post-auth { + update { + description := "Authenticated at %S" + } + } + + # + # LDAP connection-specific options. + # + # These options set timeouts, keep-alives, etc. for the connections. + # + options { + # Control under which situations aliases are followed. + # May be one of 'never', 'searching', 'finding' or 'always' + # default: libldap's default which is usually 'never'. + # + # LDAP_OPT_DEREF is set to this value. +# dereference = 'always' + + # + # The following two configuration items control whether the + # server follows references returned by LDAP directory. + # They are mostly for Active Directory compatibility. + # If you set these to 'no', then searches will likely return + # 'operations error', instead of a useful result. + # + chase_referrals = yes + rebind = yes + + # + # On rebind, use the credentials from the rebind url instead + # of admin credentials used during the initial bind. + # Default 'no' + # + use_referral_credentials = no + + # + # If 'yes', then include draft-wahl-ldap-session tracking + # controls. + # + # These encode the NAS-IP-Address/NAS-IPv6-Address, + # User-Name, Acct-Session-ID, Acct-Multi-Session-ID + # as session tracking controls, in applicable LDAP operations. + # Default 'no'. + # +# session_tracking = yes + + # Seconds to wait for LDAP query to finish. default: 20 + res_timeout = <%= @timeout %> + + # Seconds LDAP server has to process the query (server-side + # time limit). default: 20 + # + # LDAP_OPT_TIMELIMIT is set to this value. + srv_timelimit = 3 + + # LDAP_OPT_X_KEEPALIVE_IDLE + idle = <%= @idle %> + + # LDAP_OPT_X_KEEPALIVE_PROBES + probes = <%= @probes %> + + # LDAP_OPT_X_KEEPALIVE_INTERVAL + interval = <%= @interval %> + + # ldap_debug: debug flag for LDAP SDK + # (see OpenLDAP documentation). Set this to enable + # huge amounts of LDAP debugging on the screen. + # You should only use this if you are an LDAP expert. + # + # default: 0x0000 (no debugging messages) + # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) + ldap_debug = 0x0028 + } + + # + # This subsection configures the tls related items + # that control how FreeRADIUS connects to an LDAP + # server. It contains all of the 'tls_*' configuration + # entries used in older versions of FreeRADIUS. Those + # configuration entries can still be used, but we recommend + # using these. + # + tls { + # Set this to 'yes' to use TLS encrypted connections + # to the LDAP database by using the StartTLS extended + # operation. + # + # The StartTLS operation is supposed to be + # used with normal ldap connections instead of + # using ldaps (port 636) connections + start_tls = <%= @starttls %> + +<% if @cafile %> ca_file = <%= @cafile %><% end %> + +# ca_path = ${certdir} +<% if @certfile %> certificate_file = <%= @certfile %><% end %> +<% if @keyfile %> private_key_file = <%= @keyfile %><% end %> +# random_file = /dev/urandom + + # Certificate Verification requirements. Can be: + # 'never' (do not even bother trying) + # 'allow' (try, but don't fail if the certificate + # cannot be verified) + # 'demand' (fail if the certificate does not verify) + # 'hard' (similar to 'demand' but fails if TLS + # cannot negotiate) + # + # The default is libldap's default, which varies based + # on the contents of ldap.conf. + require_cert = '<%= @requirecert %>' + } + + # As of version 3.0, the 'pool' section has replaced the + # following configuration items: + # + # ldap_connections_number + + # The connection pool is new for 3.0, and will be used in many + # modules, for all kinds of connection-related activity. + # + # When the server is not threaded, the connection pool + # limits are ignored, and only one connection is used. + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # directory being available. + start = <%= @start %> + + # Minimum number of connections to keep open + min = <%= @min %> + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = <%= @max %> + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + spare = <%= @spare %> + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = <%= @uses %> + + # The number of seconds to wait after the server tries + # to open a connection, and fails. During this time, + # no new connections will be opened. + retry_delay = 30 + + # The lifetime (in seconds) of the connection + lifetime = 0 + + # Idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + idle_timeout = 60 + + # Connection timeout (in seconds). The maximum amount of + # time to wait for a new connection to be established. + # Sets LDAP_OPT_NETWORK_TIMEOUT in libldap. + connect_timeout = 3.0 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of 'idle_timeout', + # 'uses', or 'lifetime', then the total number of + # connections MAY fall below 'min'. When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the 'min' connections, + # or increase lifetime/idle_timeout. + } +} From ef09adf5105eaea3655b8f7c675ba2d2f3954abf Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Mon, 26 Oct 2015 14:25:19 +0000 Subject: [PATCH 29/40] Add support to manage proxy.conf using native types --- README.md | 112 +++++++++++++++++++++++++++++++++ manifests/home_server.pp | 33 ++++++++++ manifests/home_server_pool.pp | 22 +++++++ manifests/init.pp | 11 +++- manifests/realm.pp | 22 +++++++ templates/home_server.erb | 16 +++++ templates/home_server_pool.erb | 13 ++++ templates/realm.erb | 18 ++++++ 8 files changed, 246 insertions(+), 1 deletion(-) create mode 100644 manifests/home_server.pp create mode 100644 manifests/home_server_pool.pp create mode 100644 manifests/realm.pp create mode 100644 templates/home_server.erb create mode 100644 templates/home_server_pool.erb create mode 100644 templates/realm.erb diff --git a/README.md b/README.md index 14c4a2e4..17060444 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,13 @@ * [`freeradius::client`](#freeradiusclient) * [`freeradius::config`](#freeradiusconfig) * [`freeradius::dictionary`](#freeradiusdictionary) + * [`freeradius::home_server`](#freeradiushomeserver) + * [`freeradius::home_server_pool`](#freeradiushomeserverpool) * [`freeradius::instantiate`](#freeradiusinstantiate) * [`freeradius::ldap`](#freeradiusldap) * [`freeradius::module`](#freeradiusmodule) * [`freeradius::policy`](#freeradiuspolicy) + * [`freeradius::realm`](#freeradiusrealm) * [`freeradius::site`](#freeradiussite) * [`freeradius::sql`](#freeradiussql) * [`freeradius::statusclient`](#freeradiusstatusclient) @@ -259,6 +262,84 @@ freeradius::dictionary { 'mydict': source => 'puppet:///modules/site_freeradius/dictionary.mydict', } ``` +#### `freeradius::home_server` + +This section defines a "Home Server" which is another RADIUS server that gets sent proxied requests. + +##### `secret` + +The shared secret use to "encrypt" and "sign" packets between FreeRADIUS and the home server. + +##### `type` + +Home servers can be sent Access-Request packets or Accounting-Request packets. Allowed values are: +* `auth` Handles Access-Request packets +* `acct` Handles Accounting-Request packets +* `auth+acct` Handles Access-Request packets at "port" and Accounting-Request packets at "port + 1" +* `coa` Handles CoA-Request and Disconnect-Request packets. + +Default: `auth` + +##### `ipaddr` + +IPv4 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server` + +##### `ipv6addr` + +IPv6 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server` + +##### `virtual_server` + +If you specify a virtual_server here, then requests will be proxied internally to that virtual server. +These requests CANNOT be proxied again, however. The intent is to have the local server handle packets +when all home servers are dead. Specify one of `ipaddr`, `ipv6addr` or `virtual_server` + +##### `port` + +The port to which packets are sent. Usually 1812 for type "auth", and 1813 for type "acct". +Older servers may use 1645 and 1646. Use 3799 for type "coa" Default: `1812` + +##### `proto` +The transport protocol. If unspecified, defaults to "udp", which is the traditional +RADIUS transport. It may also be "tcp", in which case TCP will be used to talk to +this home server. Default: `udp` + + +#### `freeradius::home_server_pool` + +##### `home_server` + +An array of one or more home servers. The names of the home servers are NOT the hostnames, but the names +of the sections. (e.g. `home_server foo {...}` has name "foo". + +Note that ALL home servers listed here have to be of the same type. i.e. they all have to be "auth", or they all have to +be "acct", or they all have to be "auth+acct". + + +##### `type` + +The type of this pool controls how home servers are chosen. + +* `fail-over` the request is sent to the first live home server in the list. i.e. If the first home server is marked "dead", the second one is chosen, etc. +* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. +* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions +* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet. +* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items. + +The default type is `fail-over`. + +##### `virtual_server` + +A `virtual_server` may be specified here. If so, the "pre-proxy" and "post-proxy" sections are called when +the request is proxied, and when a response is received. + +##### `fallback` + +If ALL home servers are dead, then this "fallback" home server is used. If set, it takes precedence over any realm-based +fallback, such as the DEFAULT realm. + +For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead! + #### `freeradius::instantiate` @@ -381,6 +462,37 @@ freeradius::policy { 'my-policies': } ``` +#### `freeradius::realm` + +Define a realm in `proxy.conf`. Realms point to pools of home servers. + +##### `virtual_server` + +Set this to "proxy" requests internally to a virtual server. The pre-proxy and post-proxy sections are run just as with any +other kind of home server. The virtual server then receives the request, and replies, just as with any other packet. +Once proxied internally like this, the request CANNOT be proxied internally or externally. + +##### `auth_pool` + +For authentication, the `auth_pool` configuration item should point to a `home_server_pool` that was previously +defined. All of the home servers in the `auth_pool` must be of type `auth`. + +##### `acct_pool` + +For accounting, the `acct_pool` configuration item should point to a `home_server_pool` that was previously +defined. All of the home servers in the `acct_pool` must be of type `acct`. + +##### `pool` + +If you have a `home_server_pool` where all of the home servers are of type `auth+acct`, you can just use the `pool` +configuration item, instead of specifying both `auth_pool` and `acct_pool`. + +##### `nostrip` + +Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped" +user name is used to perform matches.If you do not want this to happen, set this to `true`. Default: `false`. + + #### `freeradius::script` Install a helper script, e.g. which might be called upon by a virtual server. These are diff --git a/manifests/home_server.pp b/manifests/home_server.pp new file mode 100644 index 00000000..8152cd34 --- /dev/null +++ b/manifests/home_server.pp @@ -0,0 +1,33 @@ +# Configure a home_server for proxy config +define freeradius::home_server ( + $secret, + $type = 'auth', + $ipaddr = '', + $ipv6addr = '', + $virtual_server = '', + $port = 1812, + $proto = 'udp', +) { + $fr_basepath = $::freeradius::params::fr_basepath + + # Validate multiple choice options + unless $type in ['auth', 'acct', 'auth+acct', 'coa'] { + fail('$type must be one of auth, acct, auth+acct, coa') + } + unless $proto in ['udp', 'tcp'] { + fail('$type must be one of udp, tcp') + } + + # Validate integers + unless is_integer($port) { + fail('$port must be an integer') + } + + # Configure config fragment for this home server + concat::fragment { "homeserver-${name}": + target => "${fr_basepath}/proxy.conf", + content => template('freeradius/home_server.erb'), + order => 10, + } +} + diff --git a/manifests/home_server_pool.pp b/manifests/home_server_pool.pp new file mode 100644 index 00000000..e680ec01 --- /dev/null +++ b/manifests/home_server_pool.pp @@ -0,0 +1,22 @@ +# Configure home server pools +define freeradius::home_server_pool ( + $home_server, + $type = 'fail-over', + $virtual_server = '', + $fallback = '', +) { + $fr_basepath = $::freeradius::params::fr_basepath + + # Validate multi-value options + unless $type in ['fail-over', 'load-balance', 'client-balance', 'client-port-balance', 'keyed-balance'] { + fail('$type must be one of fail-over, load-balance, client-balance, client-port-balance, keyed-balance') + } + + # Configure config fragment for this home server + concat::fragment { "homeserverpool-${name}": + target => "${fr_basepath}/proxy.conf", + content => template('freeradius/home_server_pool.erb'), + order => 20, + } +} + diff --git a/manifests/init.pp b/manifests/init.pp index a8607762..71fe7590 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -71,6 +71,7 @@ group => $freeradius::fr_group, mode => '0640', require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service[$freeradius::fr_service], } concat::fragment { 'policy_header': target => "${freeradius::fr_basepath}/policy.conf", @@ -83,6 +84,15 @@ order => '99', } + # Set up concat proxy file + concat { "${freeradius::fr_basepath}/proxy.conf": + owner => 'root', + group => $freeradius::fr_group, + mode => '0640', + require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service[$freeradius::fr_service], + } + # Install a slightly tweaked stock dictionary that includes # our custom dictionaries concat { "${freeradius::fr_basepath}/dictionary": @@ -264,7 +274,6 @@ file { [ "${freeradius::fr_basepath}/sites-available/default", "${freeradius::fr_basepath}/sites-available/inner-tunnel", - "${freeradius::fr_basepath}/proxy.conf", "${freeradius::fr_basepath}/clients.conf", "${freeradius::fr_basepath}/sql.conf", ]: diff --git a/manifests/realm.pp b/manifests/realm.pp new file mode 100644 index 00000000..ec67cb49 --- /dev/null +++ b/manifests/realm.pp @@ -0,0 +1,22 @@ +# Set up proxy realms +define freeradius::realm ( + $virtual_server = '', + $auth_pool = '', + $acct_pool = '', + $pool = '', + $nostrip = false, +) { + $fr_basepath = $::freeradius::params::fr_basepath + + # Validate bools + unless is_bool($nostrip) { + fail('nostrip must be true or false') + } + + # Configure config fragment for this realm + concat::fragment { "realm-${name}": + target => "${fr_basepath}/proxy.conf", + content => template('freeradius/realm.erb'), + order => 30, + } +} diff --git a/templates/home_server.erb b/templates/home_server.erb new file mode 100644 index 00000000..bd207df0 --- /dev/null +++ b/templates/home_server.erb @@ -0,0 +1,16 @@ +home_server <%= @name %> { + type = <%= @type %> +<% if @ipaddr != '' -%> + ipaddr = <%= @ipaddr %> +<% end -%> +<% if @ipv6addr != '' -%> + ipv6addr = <%= @ipv6addr %> +<% end -%> +<% if @virtual_server != '' -%> + virtual_server = <%= @virtual_server %> +<% end -%> + port = <%= @port %> + proto = <%= @proto %> + secret = <%= @secret %> +} + diff --git a/templates/home_server_pool.erb b/templates/home_server_pool.erb new file mode 100644 index 00000000..e33132a7 --- /dev/null +++ b/templates/home_server_pool.erb @@ -0,0 +1,13 @@ +home_server_pool <%= @name %> { + type = <%= @type %> +<% if @virtual_server != '' -%> + virtual_server = <%= @virtual_server %> +<% end -%> +<% @home_server.each do |server| -%> + home_server = <%= server %> +<% end -%> +<% if @fallback != '' -%> + fallback = <%= @fallback %> +<% end -%> +} + diff --git a/templates/realm.erb b/templates/realm.erb new file mode 100644 index 00000000..59ae0203 --- /dev/null +++ b/templates/realm.erb @@ -0,0 +1,18 @@ +realm <%= @name %> { +<% if @virtual_server != '' -%> + virtual_server = <%= @virtual_server %> +<% end -%> +<% if @auth_pool != '' -%> + auth_pool = <%= @auth_pool %> +<% end -%> +<% if @acct_pool != '' -%> + acct_pool = <%= @acct_pool %> +<% end -%> +<% if @pool != '' -%> + pool = <%= @pool %> +<% end %> +<% if @nostrip -%> + nostrip +<% end -%> +} + From 5ee7a74fa4e39d82e9ece89f2001c31deadc694c Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Mon, 26 Oct 2015 16:40:41 +0000 Subject: [PATCH 30/40] Delete some modules which come bundled with the server --- manifests/init.pp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index 71fe7590..ccf0dabf 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -64,6 +64,12 @@ notify => Service[$freeradius::fr_service], } + # Delete some modules which come bundled with the server that we + # know break functionality out of the box with this config + freeradius::module { 'eap': + ensure => absent, + } + # Set up concat policy file, as there is only one global policy # We also add standard header and footer concat { "${freeradius::fr_basepath}/policy.conf": From 3119bb9269f5de3be631742022803d4285dead61 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 27 Oct 2015 15:11:06 +0000 Subject: [PATCH 31/40] Provide a better way to manage attribute filters --- manifests/attr.pp | 29 +++++++++++++++++++++++------ manifests/init.pp | 10 ++++++++++ templates/attr.fr2.erb | 5 +++++ templates/attr.fr3.erb | 5 +++++ 4 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 templates/attr.fr2.erb create mode 100644 templates/attr.fr3.erb diff --git a/manifests/attr.pp b/manifests/attr.pp index 2017da6a..7400a712 100644 --- a/manifests/attr.pp +++ b/manifests/attr.pp @@ -2,19 +2,36 @@ define freeradius::attr ( $source, $ensure = present, + $key = 'User-Name', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath - $fr_group = $::freeradius::params::fr_group + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_basepath = $::freeradius::params::fr_basepath + $fr_group = $::freeradius::params::fr_group + $fr_modconfigpath = $::freeradius::params::fr_modconfigpath + $fr_modulepath = $::freeradius::params::fr_modulepath - file { "${fr_basepath}/attr.d/${name}": + # Decide on location for attribute filters + $location = $::freeradius_maj_version ? { + 2 => $fr_basepath, + 3 => $fr_modconfigpath, + default => $fr_modconfigpath, + } + + # Install the attribute filter snippet + file { "${location}/${name}": ensure => $ensure, mode => '0640', owner => 'root', group => $fr_group, source => $source, - require => [File["${fr_basepath}/attr.d"], Package[$fr_package], Group[$fr_group]], + require => [Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } + + # Reference all attribute snippets in one file + concat::fragment { "attr-${name}": + target => "${fr_modulepath}/attr_filter", + content => template("freeradius/attr.fr${::freeradius_maj_version}.erb"), + } } diff --git a/manifests/init.pp b/manifests/init.pp index ccf0dabf..7fa6e5db 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -99,6 +99,16 @@ notify => Service[$freeradius::fr_service], } + # Set up attribute filter file + concat { "${freeradius::fr_modulepath}/attr_filter": + owner => 'root', + group => $freeradius::fr_group, + mode => '0640', + require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]], + notify => Service[$freeradius::fr_service], + } + + # Install a slightly tweaked stock dictionary that includes # our custom dictionaries concat { "${freeradius::fr_basepath}/dictionary": diff --git a/templates/attr.fr2.erb b/templates/attr.fr2.erb new file mode 100644 index 00000000..12d876e4 --- /dev/null +++ b/templates/attr.fr2.erb @@ -0,0 +1,5 @@ +attr_filter filter.<%= @name %> { + key = %{<%= @key %>} + attrsfile = ${confdir}/attr.d/<%= @name %> +} + diff --git a/templates/attr.fr3.erb b/templates/attr.fr3.erb new file mode 100644 index 00000000..d8c1e824 --- /dev/null +++ b/templates/attr.fr3.erb @@ -0,0 +1,5 @@ +attr_filter attr_filter.<%= @name %> { + key = "%{<%= @key %>}" + filename = ${modconfdir}/${.:name}/<%= @name %> +} + From 97c33b88e81c95cadf5554b01cece84aef76c8a9 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 27 Oct 2015 15:25:22 +0000 Subject: [PATCH 32/40] Fix path error --- manifests/attr.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/manifests/attr.pp b/manifests/attr.pp index 7400a712..c63041ca 100644 --- a/manifests/attr.pp +++ b/manifests/attr.pp @@ -4,18 +4,18 @@ $ensure = present, $key = 'User-Name', ) { - $fr_package = $::freeradius::params::fr_package - $fr_service = $::freeradius::params::fr_service - $fr_basepath = $::freeradius::params::fr_basepath - $fr_group = $::freeradius::params::fr_group - $fr_modconfigpath = $::freeradius::params::fr_modconfigpath - $fr_modulepath = $::freeradius::params::fr_modulepath + $fr_package = $::freeradius::params::fr_package + $fr_service = $::freeradius::params::fr_service + $fr_basepath = $::freeradius::params::fr_basepath + $fr_group = $::freeradius::params::fr_group + $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath + $fr_modulepath = $::freeradius::params::fr_modulepath # Decide on location for attribute filters $location = $::freeradius_maj_version ? { 2 => $fr_basepath, - 3 => $fr_modconfigpath, - default => $fr_modconfigpath, + 3 => "$fr_moduleconfigpath/attr_filter", + default => $fr_moduleconfigpath, } # Install the attribute filter snippet From 6d78b1e30ef69dec4d1d49a07469387667a67bd9 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 27 Oct 2015 15:34:28 +0000 Subject: [PATCH 33/40] Install default attribute filtesr --- manifests/attr.pp | 1 + manifests/init.pp | 6 ++++ templates/attr_default.fr2.erb | 48 ++++++++++++++++++++++++++++++++ templates/attr_default.fr3.erb | 50 ++++++++++++++++++++++++++++++++++ 4 files changed, 105 insertions(+) create mode 100644 templates/attr_default.fr2.erb create mode 100644 templates/attr_default.fr3.erb diff --git a/manifests/attr.pp b/manifests/attr.pp index c63041ca..f0ca5f45 100644 --- a/manifests/attr.pp +++ b/manifests/attr.pp @@ -33,5 +33,6 @@ concat::fragment { "attr-${name}": target => "${fr_modulepath}/attr_filter", content => template("freeradius/attr.fr${::freeradius_maj_version}.erb"), + order => 20, } } diff --git a/manifests/init.pp b/manifests/init.pp index 7fa6e5db..2b6876b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -108,6 +108,12 @@ notify => Service[$freeradius::fr_service], } + # Install default attribute filters + concat::fragment { "attr-default": + target => "${fr_modulepath}/attr_filter", + content => template("freeradius/attr_default.fr${::freeradius_maj_version}.erb"), + order => 10, + } # Install a slightly tweaked stock dictionary that includes # our custom dictionaries diff --git a/templates/attr_default.fr2.erb b/templates/attr_default.fr2.erb new file mode 100644 index 00000000..acb28a9c --- /dev/null +++ b/templates/attr_default.fr2.erb @@ -0,0 +1,48 @@ +# -*- text -*- +# +# $Id$ + +# +# This file defines a number of instances of the "attr_filter" module. +# + +# attr_filter - filters the attributes received in replies from +# proxied servers, to make sure we send back to our RADIUS client +# only allowed attributes. +attr_filter attr_filter.post-proxy { + attrsfile = ${confdir}/attrs +} + +# attr_filter - filters the attributes in the packets we send to +# the RADIUS home servers. +attr_filter attr_filter.pre-proxy { + attrsfile = ${confdir}/attrs.pre-proxy +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_reject { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_reject +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_challenge { + key = %{User-Name} + attrsfile = ${confdir}/attrs.access_challenge +} + + +# Enforce RFC requirements on the contents of the +# Accounting-Response packets. See the comments at the +# top of the file for more details. +# +attr_filter attr_filter.accounting_response { + key = %{User-Name} + attrsfile = ${confdir}/attrs.accounting_response +} diff --git a/templates/attr_default.fr3.erb b/templates/attr_default.fr3.erb new file mode 100644 index 00000000..1caff077 --- /dev/null +++ b/templates/attr_default.fr3.erb @@ -0,0 +1,50 @@ +# -*- text -*- +# +# $Id$ + +# +# This file defines a number of instances of the "attr_filter" module. +# + +# attr_filter - filters the attributes received in replies from +# proxied servers, to make sure we send back to our RADIUS client +# only allowed attributes. +attr_filter attr_filter.post-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/post-proxy +} + +# attr_filter - filters the attributes in the packets we send to +# the RADIUS home servers. +attr_filter attr_filter.pre-proxy { + key = "%{Realm}" + filename = ${modconfdir}/${.:name}/pre-proxy +} + +# Enforce RFC requirements on the contents of Access-Reject +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_reject { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_reject +} + +# Enforce RFC requirements on the contents of Access-Challenge +# packets. See the comments at the top of the file for +# more details. +# +attr_filter attr_filter.access_challenge { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/access_challenge +} + + +# Enforce RFC requirements on the contents of the +# Accounting-Response packets. See the comments at the +# top of the file for more details. +# +attr_filter attr_filter.accounting_response { + key = "%{User-Name}" + filename = ${modconfdir}/${.:name}/accounting_response +} From a99e40ea187c614e58da8e953cdedea3f31601ce Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 27 Oct 2015 15:59:31 +0000 Subject: [PATCH 34/40] Update README to reflect the changes to attribute filters --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 17060444..cfb18b27 100644 --- a/README.md +++ b/README.md @@ -147,10 +147,15 @@ Whether the control socket should be read-only or read-write. Choose from `ro`, #### `freeradius::attr` -Install arbitrary attribute filters from a flat file. These are installed in `/etc/raddb/attr.d` +Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory. + +##### `key` + +Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name. ```puppet freeradius::attr { 'eduroamlocal': + key => 'User-Name', source => 'puppet:///modules/site_freeradius/eduroamlocal', } ``` From 38d1da77b91de6a475fe58129b04de8f045a9f6b Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Tue, 27 Oct 2015 16:23:51 +0000 Subject: [PATCH 35/40] Allow customisable prefix for attribute filters --- README.md | 7 +++++++ manifests/attr.pp | 1 + templates/attr.fr2.erb | 2 +- templates/attr.fr3.erb | 2 +- 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cfb18b27..9198a3f4 100644 --- a/README.md +++ b/README.md @@ -148,14 +148,21 @@ Whether the control socket should be read-only or read-write. Choose from `ro`, #### `freeradius::attr` Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory. +The contents of the `attr_filter` module are automatically updated to reference the filters. ##### `key` Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name. +##### `prefix` + +Specify the prefix for the attribute filter name before the dot, e.g. `filter.post_proxy`. This is usually set +to `filter` on FR2 and `attr_filter` on FR3. Default: `filter`. + ```puppet freeradius::attr { 'eduroamlocal': key => 'User-Name', + prefix => 'attr_filter', source => 'puppet:///modules/site_freeradius/eduroamlocal', } ``` diff --git a/manifests/attr.pp b/manifests/attr.pp index f0ca5f45..d032040e 100644 --- a/manifests/attr.pp +++ b/manifests/attr.pp @@ -3,6 +3,7 @@ $source, $ensure = present, $key = 'User-Name', + $prefix = 'filter', ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service diff --git a/templates/attr.fr2.erb b/templates/attr.fr2.erb index 12d876e4..8513c3ca 100644 --- a/templates/attr.fr2.erb +++ b/templates/attr.fr2.erb @@ -1,4 +1,4 @@ -attr_filter filter.<%= @name %> { +attr_filter <%= @prefix %>.<%= @name %> { key = %{<%= @key %>} attrsfile = ${confdir}/attr.d/<%= @name %> } diff --git a/templates/attr.fr3.erb b/templates/attr.fr3.erb index d8c1e824..7ce530c6 100644 --- a/templates/attr.fr3.erb +++ b/templates/attr.fr3.erb @@ -1,4 +1,4 @@ -attr_filter attr_filter.<%= @name %> { +attr_filter <%= @prefix %>.<%= @name %> { key = "%{<%= @key %>}" filename = ${modconfdir}/${.:name}/<%= @name %> } From ebe60105ea93e7569a4e5b86b6e40edb01b5ab2e Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 29 Oct 2015 12:48:18 +0000 Subject: [PATCH 36/40] Make the LDAP templates specify the module name --- templates/ldap.fr2.erb | 2 +- templates/ldap.fr3.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ldap.fr2.erb b/templates/ldap.fr2.erb index 6e2d4baa..85a7bef2 100644 --- a/templates/ldap.fr2.erb +++ b/templates/ldap.fr2.erb @@ -26,7 +26,7 @@ # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We # really can't emphasize this enough. # -ldap { +ldap <%= @name %> { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. diff --git a/templates/ldap.fr3.erb b/templates/ldap.fr3.erb index c14ef41b..e94bab9c 100644 --- a/templates/ldap.fr3.erb +++ b/templates/ldap.fr3.erb @@ -5,7 +5,7 @@ # # Lightweight Directory Access Protocol (LDAP) # -ldap { +ldap <%= @name %> { # Note that this needs to match the name(s) in the LDAP server # certificate, if you're using ldaps. See OpenLDAP documentation # for the behavioral semantics of specifying more than one host. From fdd3d3d44fbf04027c5d09df020c1fff61f0d7f1 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 29 Oct 2015 12:54:06 +0000 Subject: [PATCH 37/40] Tidy up the FR3 template so more variables are exposed. Fix non-printing characters. --- manifests/ldap.pp | 34 ++++++++++++++++------------------ templates/ldap.fr3.erb | 19 ++++++++++++------- 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/manifests/ldap.pp b/manifests/ldap.pp index 4d05621e..fe59d8a0 100644 --- a/manifests/ldap.pp +++ b/manifests/ldap.pp @@ -3,25 +3,23 @@ $identity, $password, $basedn, - $server = 'localhost', - $port = 389, - $uses = 0, - $idle = 60, - $probes = 3, - $interval = 3, - $timeout = 10, - $start = '${thread[pool].start_servers}', - $min = '${thread[pool].min_spare_servers}', - $max = '${thread[pool].max_servers}', - $spare = '${thread[pool].max_spare_servers}', - $ensure = 'present', - - $starttls = 'no', - $cafile = '', - $certfile = '', - $keyfile = '', + $server = 'localhost', + $port = 389, + $uses = 0, + $idle = 60, + $probes = 3, + $interval = 3, + $timeout = 10, + $start = '${thread[pool].start_servers}', + $min = '${thread[pool].min_spare_servers}', + $max = '${thread[pool].max_servers}', + $spare = '${thread[pool].max_spare_servers}', + $ensure = 'present', + $starttls = 'no', + $cafile = '', + $certfile = '', + $keyfile = '', $requirecert = 'allow', - ) { $fr_package = $::freeradius::params::fr_package $fr_service = $::freeradius::params::fr_service diff --git a/templates/ldap.fr3.erb b/templates/ldap.fr3.erb index e94bab9c..e42ef920 100644 --- a/templates/ldap.fr3.erb +++ b/templates/ldap.fr3.erb @@ -21,12 +21,12 @@ ldap <%= @name %> { # server = 'ldap.rrdns.example.org' # Port to connect on, defaults to 389, will be ignored for LDAP URIs. -# port = <%= @port %> + port = <%= @port %> # Administrator account for searching and possibly modifying. # If using SASL + KRB5 these should be commented out. -# identity = '<%= @identity %>' -# password = mypass + identity = '<%= @identity %>' + password = '<%= @password %>' # Unless overridden in another section, the dn from which all # searches will start from. @@ -503,11 +503,16 @@ ldap <%= @name %> { # using ldaps (port 636) connections start_tls = <%= @starttls %> -<% if @cafile %> ca_file = <%= @cafile %><% end %> - +<% if @cafile != '' -%> + ca_file = <%= @cafile %> +<% end -%> # ca_path = ${certdir} -<% if @certfile %> certificate_file = <%= @certfile %><% end %> -<% if @keyfile %> private_key_file = <%= @keyfile %><% end %> +<% if @certfile != '' -%> + certificate_file = <%= @certfile %> +<% end -%> +<% if @keyfile != '' -%> + private_key_file = <%= @keyfile %> +<% end -%> # random_file = /dev/urandom # Certificate Verification requirements. Can be: From 8bbff5fe818240343bce3219e28831479a01484b Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 29 Oct 2015 14:50:11 +0000 Subject: [PATCH 38/40] Make FR3 look in clients.d --- templates/radiusd.conf.fr3.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/radiusd.conf.fr3.erb b/templates/radiusd.conf.fr3.erb index e42fc0ce..c21d0e4b 100644 --- a/templates/radiusd.conf.fr3.erb +++ b/templates/radiusd.conf.fr3.erb @@ -510,7 +510,7 @@ $INCLUDE proxy.conf # Anything listed in 'clients.conf' will take precedence over the # information from the old-style configuration files. # -$INCLUDE clients.conf +$INCLUDE ${confdir}/clients.d/ # THREAD POOL CONFIGURATION From eb668015be8e4466b229dc5f8462726112267b05 Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Thu, 29 Oct 2015 14:55:09 +0000 Subject: [PATCH 39/40] Use different client templates for FR2 and FR3 --- manifests/client.pp | 2 +- manifests/statusclient.pp | 2 +- templates/{client.conf.erb => client.conf.fr2.erb} | 0 templates/client.conf.fr3.erb | 10 ++++++++++ 4 files changed, 12 insertions(+), 2 deletions(-) rename templates/{client.conf.erb => client.conf.fr2.erb} (100%) create mode 100644 templates/client.conf.fr3.erb diff --git a/manifests/client.pp b/manifests/client.pp index 5a3cba6d..6283cdda 100644 --- a/manifests/client.pp +++ b/manifests/client.pp @@ -23,7 +23,7 @@ mode => '0640', owner => 'root', group => $fr_group, - content => template('freeradius/client.conf.erb'), + content => template("freeradius/client.conf.fr${::freeradius_maj_version}.erb"), require => [File["${fr_basepath}/clients.d"], Group[$fr_group]], notify => Service[$fr_service], } diff --git a/manifests/statusclient.pp b/manifests/statusclient.pp index 6a4c3300..54d2dec6 100644 --- a/manifests/statusclient.pp +++ b/manifests/statusclient.pp @@ -18,7 +18,7 @@ mode => '0640', owner => 'root', group => $fr_group, - content => template('freeradius/client.conf.erb'), + content => template("freeradius/client.conf.fr${::freeradius_maj_version}.erb"), require => [File["${fr_basepath}/clients.d"], Package[$fr_package], Group[$fr_group]], notify => Service[$fr_service], } diff --git a/templates/client.conf.erb b/templates/client.conf.fr2.erb similarity index 100% rename from templates/client.conf.erb rename to templates/client.conf.fr2.erb diff --git a/templates/client.conf.fr3.erb b/templates/client.conf.fr3.erb new file mode 100644 index 00000000..e6f65d6f --- /dev/null +++ b/templates/client.conf.fr3.erb @@ -0,0 +1,10 @@ +client <%= @shortname %> { + <% if @ip %>ipaddr= <%= @ip %><% end %> + <% if @ip6 %>ipv6addr = <%= @ip6 %><% end %> + <% if @netmask %>netmask = <%= @netmask %><% end %> + shortname = <%= @shortname %> + secret = "<%= @secret %>" + <% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %> + <% if @nastype %>nas_type = <%= @nastype %><% end %> + require_message_authenticator = no +} From 29f85f72f7d10547487bebc1d4ad36ec534a468b Mon Sep 17 00:00:00 2001 From: Jonathan Gazeley Date: Mon, 2 Nov 2015 16:00:57 +0000 Subject: [PATCH 40/40] Update documentation to reflect support for FR3 --- README.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 9198a3f4..693365c5 100644 --- a/README.md +++ b/README.md @@ -33,9 +33,8 @@ ## Overview This module installs and configures [FreeRADIUS](http://freeradius.org/) server -on Linux. This module was written for use with FreeRADIUS 2.x and has not been -tested with FreeRADIUS 3.x. It was designed with CentOS in mind but should -work on other distributions. +on Linux. It supports FreeRADIUS 2.x and 3.x. It was designed with CentOS in mind +but should work on other distributions. ## Module Description @@ -694,13 +693,9 @@ required. A short alias that is used in place of the IP address or fully qualifi ## Limitations -This module is targeted at FreeRADIUS 2.x running on CentOS 6. It has not been tested -on other distributions, but might work. Likely sticking points with other distros are -the names of packages, services and file paths. - -This module has not been tested on FreeRADIUS 3.x and almost certainly won't work -without modification. FreeRADIUS 3.x support in this module will come onto the roadmap -at the same time that my employer decides to start looking FreeRADIUS 3.x. +This module is targeted at FreeRADIUS 2.x running on CentOS 6 and FreeRADIUS 3.x running +on CentOS 7. It has not been thoroughly tested on other distributions, but might work. +Likely sticking points with other distros are the names of packages, services and file paths. This module was written for use with Puppet 3.6 and 3.7, but should be quite agnostic to new versions of Puppet. @@ -712,6 +707,9 @@ use probably haven't been written. Please send pull requests with new features a bug fixes. You are also welcome to file issues but I make no guarantees of development effort if the features aren't useful to my employer. +When contributing code, please ensure your change works on FreeRADIUS 2.x and 3.x - at +least until this module drops support for 2.x. + ## Release Notes ### 0.4.5