init.pp 7.98 KB
Newer Older
1
# Base class to install FreeRADIUS
2
class freeradius (
3
4
5
6
7
8
9
10
11
  $control_socket  = false,
  $max_servers     = '4096',
  $max_requests    = '4096',
  $mysql_support   = false,
  $perl_support    = false,
  $utils_support   = false,
  $ldap_support    = false,
  $wpa_supplicant  = false,
  $winbind_support = false,
12
13
  $syslog          = false,
  ) inherits freeradius::params {
14
  file { 'radiusd.conf':
15
    name    => "${fr_basepath}/radiusd.conf",
16
17
    mode    => '0640',
    owner   => 'root',
18
    group   => $fr_group,
19
    content => template('freeradius/radiusd.conf.erb'),
20
    require => [Package[$fr_package], Group[$fr_group]],
21
    notify  => Service[$fr_service],
22
  }
23

24
25
  # Create various directories
  file { [
26
27
28
29
30
31
32
33
34
35
36
    "${fr_basepath}/clients.d",
    "${fr_basepath}/statusclients.d",
    $fr_basepath,
    "${fr_basepath}/instantiate",
    "${fr_basepath}/conf.d",
    "${fr_basepath}/attr.d",
    "${fr_basepath}/users.d",
    "${fr_basepath}/policy.d",
    "${fr_basepath}/dictionary.d",
    "${fr_basepath}/scripts",
    "${fr_basepath}/certs",
37
  ]:
38
39
40
    ensure  => directory,
    mode    => '0750',
    owner   => 'root',
41
42
    group   => $fr_group,
    require => [Package[$fr_package], Group[$fr_group]],
43
    notify  => Service[$fr_service],
44
45
46
47
  }

  # Set up concat policy file, as there is only one global policy
  # We also add standard header and footer
48
  concat { "${fr_basepath}/policy.conf":
49
50
51
52
    owner   => 'root',
    group   => $fr_group,
    mode    => '0640',
    require => [Package[$fr_package], Group[$fr_group]],
53
54
  }
  concat::fragment { 'policy_header':
55
    target  => "${fr_basepath}/policy.conf",
56
57
58
59
    content => "policy {\n",
    order   => 10,
  }
  concat::fragment { 'policy_footer':
60
    target  => "${fr_basepath}/policy.conf",
61
62
63
64
    content => "}\n",
    order   => '99',
  }

65
66
  # Install a slightly tweaked stock dictionary that includes
  # our custom dictionaries
67
  concat { "${fr_basepath}/dictionary":
68
69
70
71
    owner   => 'root',
    group   => $fr_group,
    mode    => '0640',
    require => [Package[$fr_package], Group[$fr_group]],
72
73
  }
  concat::fragment { 'dictionary_header':
74
75
76
    target => "${fr_basepath}/dictionary",
    source => 'puppet:///modules/freeradius/dictionary.header',
    order  => 10,
77
78
  }
  concat::fragment { 'dictionary_footer':
79
80
81
    target => "${fr_basepath}/dictionary",
    source => 'puppet:///modules/freeradius/dictionary.footer',
    order  => 90,
82
83
  }

84
  # Install FreeRADIUS packages
85
86
  package { 'freeradius':
    ensure => installed,
87
    name   => $fr_package,
88
  }
89
90
91
92
  if $mysql_support {
    package { 'freeradius-mysql':
      ensure => installed,
    }
93
  }
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
  if $perl_support {
    package { 'freeradius-perl':
      ensure => installed,
    }
  }
  if $utils_support {
    package { 'freeradius-utils':
      ensure => installed,
    }
  }
  if $ldap_support {
    package { 'freeradius-ldap':
      ensure => installed,
    }
  }
  if $wpa_supplicant {
    package { 'wpa_supplicant':
      ensure => installed,
      name   => $fr_wpa_supplicant,
    }
114
115
116
117
118
119
  }

  # radiusd always tests its config before restarting the service, to avoid outage. If the config is not valid, the service
  # won't get restarted, and the puppet run will fail.
  service { 'radiusd':
    ensure     => running,
120
    name       => $fr_service,
121
    require    => [Exec['radiusd-config-test'], File['radiusd.conf'], User[$fr_user], Package[$fr_package],],
122
123
124
125
126
    enable     => true,
    hasstatus  => true,
    hasrestart => true,
  }

127
128
129
  # We don't want to create the radiusd user, just add it to the
  # wbpriv group if the user needs winbind support. We depend on
  # the FreeRADIUS package to be sure that the user has been created
130
  user { $fr_user:
131
    ensure  => present,
132
133
134
135
136
    groups  => $winbind_support ? {
      true    => $fr_wbpriv_user,
      default => undef,
    },
    require => Package[$fr_package],
137
138
  }

139
140
141
142
143
144
145
146
  # We don't want to add the radiusd group but it must be defined
  # here so we can depend on it. WE depend on the FreeRADIUS
  # package to be sure that the group has been created.
  group { $fr_group: 
    ensure => present,
    require => Package[$fr_package]
  }

147
  # Install a few modules required on all FR installations
148
  freeradius::module  { 'always':
149
150
    source  => 'puppet:///modules/freeradius/modules/always',
  }
151
  freeradius::module { 'detail':
152
153
    source  => 'puppet:///modules/freeradius/modules/detail',
  }
154
  freeradius::module { 'detail.log':
155
156
157
    source  => 'puppet:///modules/freeradius/modules/detail.log',
  }

158
159
160
161
162
163
164
  ::freeradius::module { 'logtosyslog':
    source => 'puppet:///modules/freeradius/modules/logtosyslog',
  }
  ::freeradius::module { 'logtofile':
    source => 'puppet:///modules/freeradius/modules/logtofile',
  }

165
166
  # Syslog rules
  syslog::rule { 'radiusd-log':
167
    command => "if \$programname == \'radiusd\' then ${fr_logpath}/radius.log\n&~",
168
    order   => '12',
169
170
171
172
173
  if $syslog == true {
    syslog::rule { 'radiusd-log':
      command => "if \$programname == \'radiusd\' then ${fr_logpath}/radius.log\n&~",
      order   => '12',
    }
174
175
176
177
  }


  # Install a couple of virtual servers needed on all FR installations
178
179
180
181
  if $control_socket == true {
    freeradius::site { 'control-socket':
      source  => 'puppet:///modules/freeradius/sites-enabled/control-socket',
    }
182
183
184
185
  }

  # Make the radius log dir traversable
  file { [
186
187
    $fr_logpath,
    "${fr_logpath}/radacct",
188
189
  ]:
    mode    => '0750',
190
    require => Package[$fr_package],
191
192
  }

193
  file { "${fr_logpath}/radius.log":
194
195
    owner   => $fr_user,
    group   => $fr_group,
196
    seltype => 'radiusd_log_t',
197
    require => [Package[$fr_package], User[$fr_user], Group[$fr_group]],
198
199
200
201
202
203
  }

  # Updated logrotate file to include radiusd-*.log
  file { '/etc/logrotate.d/radiusd':
    mode    => '0640',
    owner   => 'root',
204
    group   => $fr_group,
205
    content => template('freeradius/radiusd.logrotate.erb'),
206
    require => [Package[$fr_package], Group[$fr_group]],
207
208
209
210
  }

  # Generate global SSL parameters
  exec { 'dh':
211
212
    command => "openssl dhparam -out ${fr_basepath}/certs/dh 1024",
    creates => "${fr_basepath}/certs/dh",
213
214
215
216
217
    path    => '/usr/bin',
  }

  # Generate global SSL parameters
  exec { 'random':
218
219
    command => "dd if=/dev/urandom of=${fr_basepath}/certs/random count=10 >/dev/null 2>&1",
    creates => "${fr_basepath}/certs/random",
220
221
222
223
224
225
    path    => '/bin',
  }

  # This exec tests the radius config and fails if it's bad
  # It isn't run every time puppet runs, but only when freeradius is to be restarted
  exec { 'radiusd-config-test':
Jonathan Gazeley's avatar
Jonathan Gazeley committed
226
    command     => 'sudo radiusd -XC | grep \'Configuration appears to be OK.\' | wc -l',
227
228
229
    returns     => 0,
    refreshonly => true,
    logoutput   => on_failure,
Jonathan Gazeley's avatar
Jonathan Gazeley committed
230
    path        => ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/'],
231
232
233
234
235
  }

  # Blank a couple of default files that will break our config. This is more effective than deleting them
  # as they won't get overwritten when FR is upgraded from RPM, whereas missing files are replaced.
  file { [
236
237
238
239
    "${fr_basepath}/sites-available/default",
    "${fr_basepath}/sites-available/inner-tunnel",
    "${fr_basepath}/proxy.conf",
    "${fr_basepath}/clients.conf",
240
241
  ]:
    content => "# FILE INTENTIONALLY BLANK\n",
Jonathan Gazeley's avatar
Jonathan Gazeley committed
242
243
    mode    => '0644',
    owner   => 'root',
244
245
    group   => $fr_group,
    require => [Package[$fr_package], Group[$fr_group]],
246
    notify  => Service[$fr_service],
247
248
249
250
  }

  # Delete *.rpmnew and *.rpmsave files from the radius config dir because
  # radiusd stupidly reads these files in, and they break the config
251
252
253
254
255
256
257
258
259
260
261
262
263
264
  # This should be fixed in FreeRADIUS 2.2.0
  # http://lists.freeradius.org/pipermail/freeradius-users/2012-October/063232.html
  # Only affects RPM-based systems
  if $::osfamily == 'RedHat' {
    exec { 'delete-radius-rpmnew':
      command => "find ${fr_basepath} -name *.rpmnew -delete",
      onlyif  => "find ${fr_basepath} -name *.rpmnew | grep rpmnew",
      path    => ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/'],
    }
    exec { 'delete-radius-rpmsave':
      command => "find ${fr_basepath} -name *.rpmsave -delete",
      onlyif  => "find ${fr_basepath} -name *.rpmsave | grep rpmsave",
      path    => ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/'],
    }
265
  }
266
}