README.md 55.4 KB
Newer Older
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1
# freeradius
Jonathan's avatar
Jonathan committed
2

3
4
5
6
#### Table of Contents

1. [Overview](#overview)
2. [Module Description - What the module does and why it is useful](#module-description)
7
3. [Usage - Configuration options and additional functionality](#usage)
8
9
    * [Classes](#classes)
       * [`freeradius`](#freeradius)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
10
       * [`freeradius::status_server`](#freeradiusstatus_server)
11
       * [`freeradius::control_socket`](#freeradiuscontrol_socket)
12
    * [Resources](#resources)
13
       * [`freeradius::attr`](#freeradiusattr)
14
       * [`freeradius::blank`](#freeradiusblank)
15
       * [`freeradius::cert`](#freeradiuscert)
16
17
18
       * [`freeradius::client`](#freeradiusclient)
       * [`freeradius::config`](#freeradiusconfig)
       * [`freeradius::dictionary`](#freeradiusdictionary)
19
20
       * [`freeradius::home_server`](#freeradiushomeserver)
       * [`freeradius::home_server_pool`](#freeradiushomeserverpool)
21
       * [`freeradius::instantiate`](#freeradiusinstantiate)
22
       * [`freeradius::ldap`](#freeradiusldap)
23
       * [`freeradius::module::ldap`](#freeradiusmoduleldap)
24
       * [`freeradius::krb5`](#freeradiuskrb5)
25
       * [`freeradius::module`](#freeradiusmodule)
26
       * [`freeradius::module::ippool`](#freeradiusmoduleippool)
27
       * [`freeradius::module::linelog`](#freeradiusmodulelinelog)
28
       * [`freeradius::module::detail`](#freeradiusmoduledetail)
29
       * [`freeradius::module::files`](#freeradiusmodulefiles)
30
       * [`freeradius::module::eap`](#freeradiusmoduleeap)
31
32
       * [`freeradius::module::preprocess`](#freeradiusmodulepreprocess)
       * [`freeradius::module::huntgroup`](#freeradiusmodulehuntgroup)
33
       * [`freeradius::policy`](#freeradiuspolicy)
34
       * [`freeradius::realm`](#freeradiusrealm)
35
       * [`freeradius::site`](#freeradiussite)
Jonathan Gazeley's avatar
Jonathan Gazeley committed
36
       * [`freeradius::sql`](#freeradiussql)
37
       * [`freeradius::statusclient`](#freeradiusstatusclient)
38
       * [`freeradius::template`](#freeradiustemplate)
39
       * [`freeradius::virtual_module`](#freeradiusvirtual_module)
40
41
42
4. [Limitations - OS compatibility, etc.](#limitations)
5. [Development - Guide for contributing to the module](#development)
6. [Release Notes](#release-notes)
43
44
45

## Overview

46
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
47
on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
Jonathan Gazeley's avatar
Jonathan Gazeley committed
48
49
50
51
but should work on other distributions. Please note that at this time, current
versions of Debian and Ubuntu still package FreeRADIUS 2.2.x which is end-of-life.
If you use Debian or Ubuntu, you will need to use version 1.x of this module,
which itself is no longer maintained.
52

53
54
55
56
This module requires Puppet 4.0.0 or greater. Puppet 3.x was
[discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
the end of 2016.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
57
58
59
60
61
62
| `jgazeley/freeradius` | FreeRADIUS  |
| --------------------- | ----------- |
| 2.x                   | 3.x         |
| 1.x                   | 2.x and 3.x |
| 0.x                   | 2.x         |

63
64
## Module Description

65
66
67
68
69
70
This module installs FreeRADIUS from a distro-provided package and installs a
number of customised config files to enable flexibility. It then provides some
helpers to allow you to easily configure virtual servers (sites), modules, clients
and other config items. Most of these items accept a flat config file which you
supply either as a static file or a template - similar to the `source` and `content`
parameters in Puppet's `file` resource.
71

72
73
74
This module is designed to make it more straightforward for RADIUS administrators to
deploy RADIUS servers using Puppet. This module does not serve as a wizard and does
not avoid having to have an understanding of FreeRADIUS.
75
76


77
## Usage
78

79
This module provides several classes and defined types which take parameters.
80

81
### Classes
82

83
#### `freeradius`
84

85
86
The `freeradius` class installs the base server. In the early releases, this class does not
have many parameters as most values are hard-coded. I am working on parameterising more
87
88
of the global settings to increase flexibility. Patches are welcome.

89
##### `control_socket`
90
Use of the control_socket parameter in the freeradius class is deprecated. Use the `freeradius::control_socket` class instead.
91

92
93
94
##### `correct_escapes`
Use correct backslash escaping in unlang. Default: `true`

95
96
97
98
99
100
101
##### `max_requests`
The maximum number of requests which the server keeps track of. This should be 256 multiplied by the number of clients. Default: `4096`

##### `max_servers`
Limit on the total number of servers running. Default: `4096`

##### `mysql_support`
102
Install support for MySQL. Note this only installs the package. Use `freeradius::sql` to configure SQL support. Default: `false`
103
104
105
106

##### `perl_support`
Install support for Perl. Default: `false`

107
108
109
##### `preserve_mods`
Leave recommended stock modules enabled. Default: `true`

110
111
112
113
114
115
##### `utils_support`
Install FreeRADIUS utils. Default: `false`

##### `ldap_support`
Install support for LDAP. Default: `false`

116
117
118
##### `krb5_support`
Install support for Kerberos. Default: `false`

119
##### `wpa_supplicant`
120
121
Install wpa_supplicant utility. Default: `false`

122
##### `winbind_support`
123
Add the radius user to the winbind privileged group. You must install winbind separately. Default: `false`.
124

125
126
127
##### `log_destination`
Configure destination of log messages. Valid values are `files`, `syslog`, `stdout` and `stderr`. Default: `files`.

128
##### `syslog`
129
Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
130

131
132
133
##### `log_auth`
Log authentication requests (yes/no). Default: `no`.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
134
135
```puppet
class { 'freeradius':
136
137
138
139
140
141
142
  max_requests    => 4096,
  max_servers     => 4096,
  mysql_support   => true,
  perl_support    => true,
  utils_support   => true,
  wpa_supplicant  => true,
  winbind_support => true,
143
  syslog          => true,
144
  log_auth        => 'yes',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
145
146
147
}
```

148
149
#### `freeradius::status_server`

150
151
The `freeradius::status_server` class enabled the [status server](http://wiki.freeradius.org/config/Status).
To remove the status server, do not include this class and the server will be removed.
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169

##### `secret`
The shared secret for the status server. Required.

##### `port`
The port to listen for status requests on. Default: `18121`

##### `listen`
The address to listen on. Defaults to listen on all addresses but you could set this to `$::ipaddress` or `127.0.0.1`.  Default: `*`

```puppet
  # Enable status server
  class { 'freeradius::status_server':
    port   => '18120',
    secret => 't0pSecret!',
  }
```

170
171
172
173
174
175
176
177
#### `freeradius::control_socket`

The `freeradius::control_socket` class enables the control socket which can be used with [RADMIN](http://freeradius.org/radiusd/man/radmin.html).
To remove the control socket, do not include this class and the socket will be removed.

##### `mode`
Whether the control socket should be read-only or read-write. Choose from `ro`, `rw`. Default: `ro`.

Jonathan Gazeley's avatar
Jonathan Gazeley committed
178
179
180
181
182
183
184
```puppet
  # Enable control socket
  class { 'freeradius::control_socket':
    mode => 'ro',
  }
```

185
### Resources
186

187
#### `freeradius::attr`
188

189
Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory.
190
The contents of the `attr_filter` module are automatically updated to reference the filters.
191
192
193
194

##### `key`

Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name.
Jonathan Gazeley's avatar
Jonathan Gazeley committed
195

196
197
198
199
200
##### `prefix`

Specify the prefix for the attribute filter name before the dot, e.g. `filter.post_proxy`. This is usually set
to `filter` on FR2 and `attr_filter` on FR3. Default: `filter`.

201
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
202
freeradius::attr { 'eduroamlocal':
203
  key    => 'User-Name',
204
  prefix => 'attr_filter',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
205
206
207
  source => 'puppet:///modules/site_freeradius/eduroamlocal',
}
```
208

209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
#### `freeradius::blank`

Selectively blank certain stock config files that aren't required. This is preferable to deleting them
because the package manager will replace certain files next time the package is upgraded, potentially
causing unexpected behaviour.

The resource title should be the relative path from the FreeRADIUS config directory to the file(s) you
want to blank. You can pass multiple files in an array.

```puppet
freeradius::blank { 'sites-enabled/default': }

freeradius::blank { [
  'sites-enabled/default',
  'eap.conf',
]: }
```

227
228
#### `freeradius::cert`

229
Install certificates as provided. These are installed in `/etc/raddb/certs`. Beware that any certificates *not* deployed by Puppet will be purged from this directory.
230
231
232
233
234
235
236
237

```puppet
freeradius::cert { 'mycert.pem':
  source => 'puppet:///modules/site_freeradius/mycert.pem',
  type   => 'key',
}
```

238
239
240
241
242
243
244
```puppet
freeradius::cert { 'mycert.pem':
  content => '<your key/cert content here>',
  type    => 'key',
}
```

245
246
247
248
##### `type`

Set file permissions on the installed certificate differently depending on whether this is a private key or a public certificate. Note that the default is to treat the file as a private key and remove world-readable privileges. Allowable values: `cert`, `key`. Default: `key`.

249
250
251
252
#### `freeradius::client`

Define RADIUS clients as seen in `clients.conf`

253
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
254
# Single host example
Jonathan Gazeley's avatar
Jonathan Gazeley committed
255
256
freeradius::client { "wlan-controller01":
  ip        => '192.168.0.1',
257
  secret    => 'testing123',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
258
  shortname => 'wlc01',
259
  nastype   => 'other',
Jonathan Gazeley's avatar
Jonathan Gazeley committed
260
261
262
  port      => '1645-1646',
  firewall  => true,
}
263
264
```

Jonathan Gazeley's avatar
Jonathan Gazeley committed
265
```puppet
266
# Range example
Jonathan Gazeley's avatar
Jonathan Gazeley committed
267
268
269
270
271
272
273
274
275
276
freeradius::client { "wlan-controllers":
  ip        => '192.168.0.0/24',
  secret    => 'testing123',
  shortname => 'wlc01',
  nastype   => 'other',
  port      => '1645-1646',
  firewall  => true,
}
```

277
##### `ip`
278
The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
279
Default: `undef`.
280
281

##### `ip6`
282
The IPv6 address of the client or range in CIDR format. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
Jonathan Gazeley's avatar
Jonathan Gazeley committed
283

284
##### `shortname`
285
A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Defaults to resource name.
286
287

##### `secret`
288
The RADIUS shared secret used for communication between the client/NAS and the RADIUS server. Required.
289
290

##### `virtual_server`
291
The virtual server that traffic from this client should be sent to. Default: `undef`.
292
293

##### `nastype`
294
The `nastype` attribute is used to tell the `checkrad.pl` script which NAS-specific method it should use when checking simultaneous use. See [`man clients.conf`](http://freeradius.org/radiusd/man/clients.conf.txt) for a list of all options. Default: `undef`.
295

296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
##### `proto`
Transport protocol used by the client. If unspecified, defaults to "udp", which is the traditional RADIUS transport. Valid values are `udp`, `tcp` or `*` for both of them. Default: `undef`.

##### `require_message_authenticator`
Old-style clients do not send a Message-Authenticator in an Access-Request.  RFC 5080 suggests that all clients SHOULD include it in an Access-Request. Valid values are `yes` and `no`. Default: `no`.

##### `login`
Login used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.

##### `password`
Password used by checkrad.pl when querying the NAS for simultaneous use. Default: `undef`.

##### `coa_server`
A pointer to the "home_server_pool" OR a "home_server" section that contains the CoA configuration for this client. Default: `undef`.

##### `response_window`
Response window for proxied packets. Default: `undef`.

##### `max_connections`
Limit the number of simultaneous TCP connections from a client. It is ignored for clients sending UDP traffic. Default: `undef`.

##### `lifetime`
The lifetime, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.

##### `idle_timeout`
The idle timeout, in seconds, of a TCP connection. It is ignored for clients sending UDP traffic. Default: `undef`.


324
##### `port`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
325
The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server. Currently the port number is only used to create firewall exceptions and you only need to specify it if you set `firewall => true`. Use port range syntax as in [`puppetlabs-firewall`](https://forge.puppetlabs.com/puppetlabs/firewall). Default: `undef`.
326

327
328
##### `firewall`
Create a firewall exception for this virtual server. If this is set to `true`, you must also supply `port` and either `ip` or `ip6`. Default: `false`.
329

330
331
332
##### `attributes`
Array of attributes to assign to this client. Default: empty.

333
334
335
336
#### `freeradius::config`

Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d`

337
```puppet
338
339
340
341
342
freeradius::config { 'realm-checks.conf':
  source => 'puppet:///modules/site_freeradius/realm-checks.conf',
}
```

343
344
345
346
347
348
```puppet
freeradius::config { 'realm-checks.conf':
  content => template('your_template),
}
```

349
350
351
352
353
354
355
356
357
#### `freeradius::dictionary`

Install custom dictionaries without breaking the default FreeRADIUS dictionary. Custom dictionaries are installed in `/etc/raddb/dictionary.d` and automatically included in the global dictionary.

```puppet
freeradius::dictionary { 'mydict':
  source => 'puppet:///modules/site_freeradius/dictionary.mydict',
}
```
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
#### `freeradius::home_server`

This section defines a "Home Server" which is another RADIUS server that gets sent proxied requests.

##### `secret`

The shared secret use to "encrypt" and "sign" packets between FreeRADIUS and the home server.

##### `type`

Home servers can be sent Access-Request packets or Accounting-Request packets. Allowed values are:
* `auth` Handles Access-Request packets
* `acct`  Handles Accounting-Request packets
* `auth+acct` Handles Access-Request packets at "port" and Accounting-Request packets at "port + 1"
* `coa` Handles CoA-Request and Disconnect-Request packets.

Default: `auth`

##### `ipaddr`

IPv4 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `ipv6addr`

IPv6 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `virtual_server`

If you specify a virtual_server here, then requests will be proxied internally to that virtual server.
These requests CANNOT be proxied again, however. The intent is to have the local server handle packets
when all home servers are dead. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`

##### `port`

The port to which packets are sent. Usually 1812 for type "auth", and  1813 for type "acct".
Older servers may use 1645 and 1646. Use 3799 for type "coa" Default: `1812`

##### `proto`
The transport protocol. If unspecified, defaults to "udp", which is the traditional
RADIUS transport. It may also be "tcp", in which case TCP will be used to talk to
this home server. Default: `udp`

400
401
402
403
##### `status_check`
Type of check to see if the home_server is dead or alive. Valid values are `none`, `status-server`
and `request`. Default: `undef`.

404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439

#### `freeradius::home_server_pool`

##### `home_server`

An array of one or more home servers. The names of the home servers are NOT the hostnames, but the names
of the sections. (e.g. `home_server foo {...}` has name "foo".

Note that ALL home servers listed here have to be of the same type. i.e. they all have to be "auth", or they all have to
be "acct", or they all have to be "auth+acct".


##### `type`

The type of this pool controls how home servers are chosen.

* `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.

The default type is `fail-over`.

##### `virtual_server`

A `virtual_server` may be specified here.  If so, the "pre-proxy" and "post-proxy" sections are called when
the request is proxied, and when a response is received.

##### `fallback`

If ALL home servers are dead, then this "fallback" home server is used. If set, it takes precedence over any realm-based
fallback, such as the DEFAULT realm.

For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!

440

441
442
#### `freeradius::instantiate`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
443
444
Instantiate a module that is not automatically instantiated.

445
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
446
447
freeradius::instantiate { 'mymodule': }
```
448

449
#### `freeradius::ldap`
450
451
452
Deprecated. Use `freeradius::module::ldap` instead.

#### `freeradius::module::ldap`
453
454
455

Configure LDAP support for FreeRADIUS

456
457
458
459
##### `ensure`

Whether the site should be present or not.

460
461
462
463
464
465
##### `identity`
LDAP account for searching the directory. Required.

##### `password`
Password for the `identity` account. Required.

466
467
468
469
470
471
472
473
474
##### `sasl`
SASL parameters to use for admin binds to the ldap server. This is a hash with 3 possible keys:

* `mech`: The SASL mechanism used.
* `proxy`: SASL authorizatino identity to proxy.
* `realm`: SASL realm (used for kerberos)

Default: `{}`

475
476
477
478
##### `basedn`
Unless overridden in another section, the dn from which all searches will start from. Required.

##### `server`
479
480
Array of hostnames or IP addresses of the LDAP server(s). Note that this needs to match the name(s) in the LDAP
server certificate, if you're using ldaps. Default: [`localhost`]
481
482
483
484

##### `port`
Port to connect to the LDAP server on. Default: `389`

485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
##### `valuepair_attribute`
Generic valuepair attribute. If set, this attribute will be retrieved in addition to any mapped attributes. Default: `undef`.

##### `update`
Array with mapping of LDAP directory attributes to RADIUS dictionary attributes. Default: `[]`

##### `edir`
Se to `yes` if you have eDirectory and want to use the universal password mechanisms. Possible values are `yes` and `no`. Default: `undef`.

##### `edir_autz`
Set to `yes`if you want to bind as the user after retrieving the Cleartest-Password. Possible values are `yes` and `no`. Default: `undef`.

##### `user_base_dn`
Where to start searching for users in the LDAP tree. Default: `${..base_dn}`.

##### `user_filter`
Filter for user objects. Default: `uid=%{%{Stripped-User-Name}-%{User-Name}})`

##### `user_sasl`
SASL parameters to use for user binds to the ldap server. This is a hash with 3 possible keys:

* `mech`: The SASL mechanism used.
* `proxy`: SASL authorizatino identity to proxy.
* `realm`: SASL realm (used for kerberos)

Default: `{}`

##### `user_scope`
Search scope for users. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `user_sort_by`
Server side result sorting. A list of space delimited attributes to order the result set by. Default: `undef`.

##### `user_access_attribute`
If this undefined, anyone is authorized. If it is defined, the contents of this attribute determine whether or not the user is authorised. Default: `undef`.

##### `user_access_positive`
Control whether the presence of 'access_attribute' allows access or denys access. Default: `undef`.

##### `group_base_dn`
Where to start searching for groups in the LDAP tree. Default: `${..base_dn}`.

##### `group_filter`
Filter for group objects. Default: `'(objectClass=posixGroup)'`.

##### `group_scope`
Search scope for groups. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `group_name_attribute`
Attribute that uniquely identifies a group. Default: `undef` (`'cn'` is applied).

##### `group_membership_filter`
Filter to find group objects a user is member of. That is, group objects with attributes that identify members (the inverse of `group_membership_attribute`). Default: `undef`.

##### `group_membership_attribute`
The attribute in user objects which contain the namos or DNs of groups a user is a member of. Default: `'memberOf'`.

##### `group_cacheable_name`
If `group_cacheable_name` or `group_cacheable_dn` are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropiaate for the instance of rlm_ldap. Default: `undef`.

##### `group_cacheable_dn`
If `group_cacheable_name` or `group_cacheable_dn` are enabled, all group information for the user will be retrieved from the directory and written to LDAP-Group attributes appropiaate for the instance of rlm_ldap. Default: `undef`.

##### `group_cache_attribute`
Override the normal cache attribute (`<inst>-LDAP-Group` or `LDAP-Group` if using the default instance) and create a custom attribute. Default: `undef`.

##### `group_attribute`
Override the normal group comparison attribute name (`<inst>-LDAP-Group` or `LDAP-Group` if using the default instance). Default: `undef`.

##### `profile_filter`
Filter for RADIUS profile objects. Default: `undef`.

##### `profile_default`
The default profile. This may be a DN or an attribute reference. Default: `undef`.

##### `profile_attribute`
The LDAP attribute containing profile DNs to apply in addition to the default profile above. Default: `undef`.

##### `client_base_dn`
Where to start searching for clients in the LDAP tree. Default: `'${..base_dn}'`.

##### `client_filter`
Filter to match client objects. Default: `'(objectClass=radiusClient)'`.

##### `client_scope`
Search scope for clients. Valid values are `base`, `one`, `sub` and `children`. Default: `undef` (`sub` is applied).

##### `read_clients`
Load clients on startup. Default: `undef` (`'no'` is applied).

##### `dereference`
Control under which situations LDAP aliases are followed. May be one of `never`, `searching`, `finding` or `always`. Default: `undef` (`always` is applied).

##### `chase_referrals`
With `rebind` control whether the server follows references returned by LDAP directory. Mostly used for AD compatibility. Default: `yes`.

##### `rebind`
With `chase_referrals` control whether the server follows references returned by LDAP directory. Mostly used for AD compatibility. Default: `yes`.

##### `use_referral_credentials`
On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.

##### `session_tracking`
If `'yes'`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.

590
591
592
593
##### `uses`
How many times the connection can be used before being re-established. This is useful for things
like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0`

594
595
596
597
598
599
600
601
602
603
604
605
##### `retry_delay`
The number of seconds to wait after the server tries to open a connection, and fails. Default: `30'.

##### `lifetime`
The lifetime (in seconds) of the connection. Default: `0` (forever).

##### `idle_timeout`
Idle timeout (in seconds). A connection which is unused for this length of time will be closed. Default: `60`.

##### `connect_timeout`
Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.

606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
##### `idle`
Sets the idle time before keepalive probes are sent. Default `60`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `probes`
Sets the maximum number of keepalive probes TCP should send before dropping the connection. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `interval`
Setss the interval in seconds between individual keepalive probes. Default: `3`

This option may not be supported by your LDAP library. If this configuration entry appears in the
output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.

##### `timeout`
Number of seconds to wait for LDAP query to finish. Default: `10`

627
628
629
630
631
632
##### `timelimit`
Seconds LDAP server has to process the query (server-side time limit). Default: `20`.

##### `ldap_debug`
Debug flag for LDAP SDK. Default: `0x0028`.

633
634
635
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
636
directory being available. Default: `${thread[pool].start_servers}`
637
638

##### `min`
639
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`
640
641
642
643
644

##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`

##### `spare`
645
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661

##### `starttls`
Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation.
The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections

Default: `no`

##### `cafile`
Path to CA cert file for TLS

##### `certfile`
Path to cert file for TLS

##### `keyfile`
Path to key file for TLS

662
663
664
##### `random_file`
Random file used for TLS operations. Default: `undef` (`'/dev/urandom'` is used).

665
666
667
668
669
670
671
672
673
##### `requirecert`
Certificate Verification requirements. Choose from:
'never' (do not even bother trying)
'allow' (try, but don't fail if the certificate cannot be verified)
'demand' (fail if the certificate does not verify)
'hard'  (similar to 'demand' but fails if TLS cannot negotiate)

Default: `allow`

674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
#### `freeradius::krb5`
Configure Kerberos support for FreeRADIUS

##### `keytab`
Full path to the Kerberos keytab file

##### `principal`
Name of the service principal

##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. Default: `${thread[pool].start_servers}`

##### `min`
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`

##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`

##### `spare`
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
696

697
#### `freeradius::module`
698

699
Install a module from a flat file, or enable a stock module that came with your distribution of FreeRADIUS.
700

701
```puppet
702
703
704
705
706
707
708
709
# Enable a stock module
freeradius::module { 'pap':
  preserve => true,
}
```

```puppet
# Install a custom module from a flat file
710
711
712
713
714
freeradius::module { 'buffered-sql':
  source => 'puppet:///modules/site_freeradius/buffered-sql',
}
```

715
```puppet
716
# Install a custom module from a template
717
718
719
720
721
freeradius::module { 'buffered-sql':
  content => template('some_template.erb)',
}
```

722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
#### `freeradius::module::ippool`

Install a `ippool` module

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `range_start`
The first IP address of the pool.

##### `range_stop`
The last IP address of the pool.

##### `netmask`
The network mask used for the pool

##### `cache_size`
The gdbm cache size for the db files. Default: number of IP address in the range.

##### `filename`
The main db file used to allocate address. Default: `${db_dir}/db.${name}`

##### `ip_index`
Helper db index file. Default: `${db_dir}/db.${name}.index`

##### `override`
If set, the Framed-IP-Address already in the reply (if any) will be discarded. Default: `no`.

##### `maximum_timeout`
Maximum time in seconds that an entry may be active. Default: `0` (no timeout).

##### `key`
The key to use for the session database. Default: `undef`.

756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
#### `freeradius::module::linelog`
Install and configure linelog module to log text to files.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `filename`
The file where the logs will go. Default: `${logdir}/linelog`.

##### `escape_filenames`
If UTF-8 characters should be escaped from filename. Default: `no`.

##### `permissions`
Unix-style permissions for the log file. Default: `0600`.

##### `group`
The Unix group which owns the log file. Default: `undef`.

##### `syslog_facility`
Syslog facility (if logging via syslog). Default: `undef` (`daemon`).

##### `syslog_severity`
Syslog severity (if logging via syslog). Default: `undef` (`info`).

##### `format`
The default format string. Default: `This is a log message for %{User-Name}`.

##### `reference`
If it is defined, the line string logged is dynamically expanded and the result is used to find another configuration entry here, with the given name. That name is then used as the format string. Default: `messages.%{%reply:Packet-Type}:-default}`.

##### `messages`
Array of messages. The messages defined here are taken from the `reference` expansion. Default: `[]`.

##### `accounting_request`
Array of messages. Similar to `messages` but for accounting logs.

792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
#### `freeradius::module::detail`

Install a detail module to write detailed log of accounting records.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `filename`
The file where the detailed logs will go. Default: `${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d`.

##### `escape_filenames`
If UTF-8 characters should be escaped from filename. Default: `no`.

##### `permissions`
Unix-style permissions for the log file. Default: `0600`.

##### `group`
The Unix group which owns the log file. Default: `undef`.

##### `header`
Header to use in every entry in the detail file. Default: `undef` (`%t`).

##### `locking`
Enable if a detail file reader will be reading this file. Default: `undef`.

##### `log_packet_header`
Log the package src/dst IP/port. Default: `undef`.

##### `suppress`
Array of (sensitive) attributes that should be removed from the log. Default: `[]`.

823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
#### `freeradius::module::files`
Install a `file` module with users in freeradius.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `moddir`
Directory where the users file is located. Default: `${modconfdir}/${.:instance}`.

##### `key`
The default key attribute to use for matches. Default: `undef`.

##### `filename`
The (old) users style filename. Default: `${moddir}/authorize`.

##### `usersfile`
Accepted for backups compatibility. Default: `undef`.

##### `acctusersfile`
Accepted for backups compatibility. Default: `undef`.

##### `preproxy_usersfile`
Accepted for backups compatibility. Default: `undef`.

##### `users`
Array of hashes with users entries (see "man users"). If entry in the hash is an array which valid keys are:

* `login`: The login of the user.
* `check_items`: An array with check components for the user entry.
* `reply_items`: An array with reply components for the user entry.

For example:
```puppet
freeradius::module::files {'myuserfile':
  users => [
    {
      login => 'DEFAULT',
      check_items => [
        'Realm == NULL'
      ],
      reply_items => [
        'Fall-Through = No
      ],
    },
  ],
}
```

will produce a user file like:
```
DEFAULT Realm == NULL
  Fall-Through = No
```

You should use just one of `users`, `source` or `content` parameters.

##### `source`
Provide source to a file with the users file. Default: `undef`.

You should use just one of `users`, `source` or `content` parameters.

##### `content`
Provide the content for the users file. Default: `undef`.

You should use just one of `users`, `source` or `content` parameters.

889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
#### `freeradius::module::eap`
Install a module for EAP configuration

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `default_eap_type`
Default EAP type. Default: `md5`.

##### `timer_expire`
How much time an entry is maintained in the list to correlate EAP-Response packets with EAP-Request packets. Default: `60`.

##### `ignore_unknown_eap_types`
By setting this options to `yes`, you can tell the server to keep processing requests with an EAP type it does not support. Default: `no`.

##### `cisco_accounting_username_bug`
Enables a work around to handle Cisco AP1230B firmware bug. Default: `no`.

##### `max_sessions`
Maximum number of EAP sessions the server tracked. Default: `${max_requests}`.

##### Parameters to configure EAP-pwd authentication.

###### `eap_pwd`
If set to `true` configures EAP-pwd authentication. Default: `false`.

###### `pwd_group`
`group` used in pwd configuration. Default: `undef`.

###### `pwd_server_id`
`server_id` option in pwd configuration. Default: `undef`.

###### `pwd_fragment_size`
`fragment_size` option in pwd configuration. Default: `undef`.

###### `pwd_virtual_server`
The virtual server which determines the "known good" password for the user in pwd authentication. Default: `undef`.

##### Parameters to configure Generic Tocken Card

###### `gtc_challenge`
The default challenge. Default: `undef`

###### `gtc_auth_type`
`auth_type` use in GTC. Default: `PAP`.

##### Parameters for TLS configuration

###### `tls_config_name`
Name for the `tls-config`. It normally should not be used. Default: `tls-common`.

###### `tls_private_key_password`
Private key password. Default: `undef`.

###### `tls_private_key_file`
File with the private key of the server. Default: `${certdir}/server.pem`.

###### `tls_certificate_file`
File with the certificate of the server. Default: `${certdir}/server.pem`.

###### `tls_ca_file`
File with the trusted root CA list. Default: `${certdir}/ca.pem`.

###### `tls_auth_chain`
When setting to `no`, the server certificate file MUST include the full certificate chain. Default: `undef`.

###### `tls_psk_identity`
PSK identity (if OpenSSL supports TLS-PSK). Default: `undef`.

###### `tls_psk_hexphrase`
PSK (hex) password (if OpenSSL supports TLS-PSK). Default: `undef`.

###### `tls_dh_file`
DH file. Default: `${certdir}/dh`.

###### `tls_random_file`
Random file. Default: `undef` (`/dev/urandom`).

###### `tls_fragment_size`
Fragment size for TLS packets. Default: `undef`.

###### `tls_include_length`
If set to no, total length of the message is included only in the first packet of a fragment series. Default: `undef`.

###### `tls_check_crl`
Check the certificate revocation list. Default: `undef`.

###### `tls_check_all_crl`
Check if intermediate CAs have been revoked. Default: `undef`.

###### `tls_ca_path`
ca_path. Default: `${cadir}`.

###### `tls_check_cert_issuer`
If set, the value will be checked against the DN of the issuer in the client certificate. Default: `undef`.

###### `tls_check_cert_cn`
If it is set, the value will be xlat'ed and checked against the CN in the client certificate. Default: `undef`

###### `tls_cipher_list`
Set this option to specify the allowed TLS cipher suites. Default: `DEFAULT`.

###### `tls_disable_tlsv1_2`
Disable TLS v1.2. Default: `undef`.

###### `tls_ecdh_curve`
Elliptical cryptography configuration. Default: `prime256v1`.

###### `tls_cache_enable`
Enable TLS cache. Default: `yes`.

###### `tls_cache_lifetime`
Lifetime of the cached entries, in hours. Default: `24`.

###### `tls_cache_max_entries`
The maximum number of entries in the cache. Default: `255`.

###### `tls_cache_name`
Internal name of the session cache. Default: `undef`.

###### `tls_cache_persist_dir`
Simple directory-based storage of sessions. Default: `undef`.

###### `tls_verify_skip_if_ocsp_ok`
If the OCSP checks suceed, the verify section is run to allow additional checks. Default: `undef`.

###### `tls_verify_tmpdir`
Temporary directory where the client certificates are stored. Default: `undef`.

###### `tls_verify_client`
The command used to verify the client certificate. Default: `undef`.

###### `tls_ocsp_enable`
Enable OCSP certificate verification. Default: `no`.

###### `tls_ocsp_override_cert_url`
If set to `yes` the OCSP Responder URL is overrided. Default: `yes`.

###### `tls_ocsp_url`
The URL used to verify the certificate when `tls_ocsp_override_cert_url` is set to `yes`. Default: `http://127.0.0.1/ocsp/`.

###### `tls_ocsp_use_nonce`
If the OCSP Responder can not cope with nonce in the request, then it can be set to `no`. Default: `undef`.

###### `tls_ocsp_timeout`
Number of seconds before giving up waiting for OCSP response. Default: `undef`.

###### `tls_ocsp_softfail`
To treat OCSP errors as _soft_. Default: `undef`.

###### `tls_virtual_server`
Virtual server for EAP-TLS requests. Default: `undef`.

##### Parameters for TTLS configuration

###### `ttls_default_eap_type`
Default EAP type use inside the TTLS tunnel. Default: `md5`.

###### `ttls_copy_request_to_tunnel`
If set to `yes`, any attribute in the ouside of the tunnel but not in the tunneled request is copied to the tunneled request. Default: `no`.

###### `ttls_use_tunneled_reply`
If set to `yes`, reply attributes get from the tunneled request are sent as part of the outside reply. Default: `no`.

###### `ttls_virtual_server`
The virtual server that will handle tunneled requests. Default: `inner-tunnel`.

###### `ttls_include_length`
If set to no, total length of the message is included only in the first packet of a fragment series. Default: `undef`.

###### `ttls_require_client_cert`
Set to `yes` to require a client certificate. Default: `undef`.

###### Parameters for PEAP configuration

###### `peap_default_eap_type`
Default EAP type used in tunneled EAP session. Default: `mschapv2`.

###### `peap_copy_request_to_tunnel`
If set to `yes`, any attribute in the ouside of the tunnel but not in the tunneled request is copied to the tunneled request. Default: `no`.

###### `peap_use_tunneled_reply`
If set to `yes`, reply attributes get from the tunneled request are sent as part of the outside reply. Default: `no`.

###### `peap_proxy_tunneled_request_as_eap`
Set the parameter to `no` to proxy the tunneled EAP-MSCHAP-V2 as normal MSCHAPv2. Default: `undef`.

###### `peap_virtual_server`
The virtual server that will handle tunneled requests. Default: `inner-tunnel`.

###### `peap_soh`
Enables support for MS-SoH. Default: `undef`.

###### `peap_soh_virtual_server`
The virtual server that will handle tunneled requests. Default: `undef`.

###### `peap_require_client_cert`
Set to `yes` to require a client certificate. Default: `undef`.

##### Parameters for MS-CHAPv2 configuration

###### `mschapv2_send_error`
If set to `yes`, then the error message will be sent back to the client. Default: `undef`.

###### `mschapv2_identity`
Server indentifier to send back in the challenge. Default: `undef`.

1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
#### `freeradius::module::preprocess`
Install a preprocess module to process _huntgroups_ and _hints_ files.

##### `ensure`
If the module should `present` or `absent`. Default: `present`.

##### `moddir`
Directory where the preprocess' files are located. Default: `${modconfdir}/${.:instance}`.

##### `huntgroups`
Path for the huntgroups file. Defaut: `${moddir}/huntgroups`.

##### `hints`
Path for the hints file. Default `${moddir}/hints`.

##### `with_ascend_hack`
This hack changes Ascend's weird port numbering to standar 0-??? port numbers. Default: `no`.

##### `ascend_channels_per_line`
Default: `23`.

##### `with_ntdomain_hack`
Windows NT machines often authenticate themselves as NT_DOMAIN\username. If this parameter is set to `yes`, then the NT_DOMAIN portion of the user-name is silently discarded. Default: `no`.

##### `with_specialix_jetstream_hack`
Set to `yes` if you are using a Specialix Jetstream 8500 access server. Default: `no`.

##### `with_cicso_vsa_hack`
Set to `yes` if you are using a Cisco or Quintum NAS. Default: `no`.

#### `freeradius::module::huntgroup`

Creates a huntgroup entry in a huntgroup file (see `freeradius::module::preprocess`)

##### `conditions`
Array of rules to match in this huntgroup.

##### `order`
Order of this huntgroup in the huntgroup files. This is the `order` parameter for the underlying `concat::fragment`. Default: `50' .

##### `huntgroup`
The path of the huntgroup file. Default: `huntgroup`.

1139
1140
1141
1142
#### `freeradius::policy`

Install a policy from a flat file.

1143
```puppet
1144
1145
1146
1147
1148
freeradius::policy { 'my-policies':
  source => 'puppet:///modules/site_freeradius/my-policies',
}
```

1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
#### `freeradius::realm`

Define a realm in `proxy.conf`. Realms point to pools of home servers.

##### `virtual_server`

Set this to "proxy" requests internally to a virtual server. The pre-proxy and post-proxy sections are run just as with any
other kind of home server.  The virtual server then receives the request, and replies, just as with any other packet.
Once proxied internally like this, the request CANNOT be proxied internally or externally.

##### `auth_pool`

For authentication, the `auth_pool` configuration item should point to a `home_server_pool` that was previously
defined.  All of the home servers in the `auth_pool` must be of type `auth`.

##### `acct_pool`

For accounting, the `acct_pool` configuration item should point to a `home_server_pool` that was previously
defined.  All of the home servers in the `acct_pool` must be of type `acct`.

##### `pool`

If you have a `home_server_pool` where all of the home servers are of type `auth+acct`, you can just use the `pool`
configuration item, instead of specifying both `auth_pool` and `acct_pool`.

##### `nostrip`

Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped"
user name is used to perform matches.If you do not want this to happen, set this to `true`. Default: `false`.


1180
1181
1182
1183
1184
#### `freeradius::script`

Install a helper script, e.g. which might be called upon by a virtual server. These are
placed in `/etc/raddb/scripts` and are not automatically included by the server.

1185
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1186
freeradius::script{ 'myperlscript.pl':
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1187
1188
1189
1190
  source => 'puppet:///modules/site_freeradius/myperlscript.pl',
}
```

1191
1192
#### `freeradius::site`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1193
Install a virtual server (a.k.a. site) from a flat file. Sites are installed directly
1194
1195
into `/etc/raddb/sites-enabled`. Any files in this directory that are *not* managed by
Puppet will be removed.
1196

1197
```puppet
1198
1199
1200
1201
1202
freeradius::site { 'inner-tunnel':
  source => 'puppet:///modules/site_freeradius/inner-tunnel',
}
```

1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
##### `ensure`

Whether the site should be present or not.

##### `source`

Provide source to a file with the configuration of the site. Default: `undef`.

##### `content`

Provide content for the configuartion of the site. Default: `undef`.

##### `authorize`

Array of options (as String) for the authorize section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `authenticate`

Array of options (as String) for the authenticate section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `preacct`

Array of options (as String) for the preacct section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `accounting`

Array of options (as String) for the accounting section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `session`

Array of options (as String) for the session section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `post_auth`

Array of options (as String) for the post-auth section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `pre_proxy`

Array of options (as String) for the pre-proxy section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `post_proxy`

Array of options (as String) for the post-proxy section of the site. This parameter is
ignored if `source` or `content`are used. Default: [].

##### `listen`

Array of listen definitions for the site. This parameter is ignored if `source` or
`content`are used. Default: [].

1260
1261
1262
1263
1264
1265
#### `freeradius::sql`

Configure SQL connections. You can define multiple database connections by
invoking this resource multiple times. If you are using MySQL, don't forget to
also set `mysql_support => true` in the base `freeradius` class.

1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
```puppet
freeradius::sql { 'mydatabase':
  database  => 'mysql',
  server    => '192.168.0.1',
  login     => 'radius',
  password  => 'topsecret',
  radius_db => 'radius',
}
```

1276
1277
1278
1279
1280
1281
1282
1283
##### `database`

Default: `undef`. Required. Specify which FreeRADIUS database driver to use. Choose one of `mysql`, `mssql`, `oracle`, `postgresql`

##### `server`

Default: `localhost`. Specify hostname of IP address of the database server.

1284
1285
1286
1287
##### `port`

TCP port to connect to the database. Default: `3306`.

1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
##### `login`

Default: `radius`. Username to connect to the databae.

##### `password`

Default: `undef`. Required. Password to connect to the database.

##### `radius_db`

Default: `radius`. Name of the database. Normally you should leave this alone. If you are using Oracle then use this instead:
`(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=your_sid)))`.

1301
1302
1303
1304
1305
1306
1307
1308
##### `num_sql_socks`

Default: same as `max_servers`. Number of sql connections to make to the database server. 
Setting this to LESS than the number of threads means that some threads may starve, and
you will see errors like "No connections available and at max connection limit". Setting
this to MORE than the number of threads means that there are more connections than necessary.
Leave blank to set it to the same value as the number of threads.

1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
##### `lifetime`

Default: `0`. Lifetime of an SQL socket. If you are having network issues such as TCP sessions expiring, you may need to set the socket
lifetime. If set to non-zero, any open connections will be closed `$lifetime` seconds after they were first opened.

##### `max_queries`

Default: `0`. Maximum number of queries used by an SQL socket. If you are having issues with SQL sockets lasting "too long", you can
limit the number of queries performed over one socket. After `$max_qeuries`, the socket will be closed. Use 0 for "no limit".

1319
1320
##### `query_file`

1321
1322
**`query_file` has been deprecated - use `custom_query_file` instead**

1323
1324
1325
1326
1327
1328
1329
1330
Default: `sql/${database}/dialup.conf`. Relative path to the file which contains your SQL queries. By
default, points to the `dialup.conf` specific to your database engine, so leave this blank if you are
using stock queries.

If you need to use custom queries, it is recommended that you deploy your query file using
`freeradius::script` to install the file into `/etc/raddb/scripts/custom_dialup.conf` and then
set `query_file` to `scripts/custom_dialup.conf`.

1331
1332
1333
1334
1335
1336
1337
##### `custom_query_file`

Default: `null`. Puppet fileserver path to a file which contains your SQL queries, i.e. `dialup.conf`. This
option is intended to be a replacment for `query_file`, which requires separate deployment of the file. This
option allows you to specify a Puppet-managed custom `dialup.conf` which is installed and loaded automatically.
`query_file` must be left blank if you use `custom_query_file`.

1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
##### `acct_table1`

If you want both stop and start records logged to the same SQL table, leave this as is.  If you want them in
different tables, put the start table in `$acct_table1` and stop table in `$acct_table2`. Default : `radacct`

##### `acct_table2`

If you want both stop and start records logged to the same SQL table, leave this as is.  If you want them in
different tables, put the start table in `$acct_table1` and stop table in `$acct_table2`. Default : `radacct`

##### `postauth_table`

Table for storing data after authentication

##### `authcheck_table`

Default: `radcheck`

##### `authreply_table`

Default: `radreply`

##### `groupcheck_table`

Default: `radgroupcheck`

##### `groupreply_table`

Default: `radgroupreply`

##### `usergroup_table`

Table to keep group info. Default: `radusergroup`

##### `read_groups`

If set to `yes` (default) we read the group tables. If set to `no` the user MUST have `Fall-Through = Yes`
in the radreply table. Default: `yes`.

##### `deletestalesessions`

Remove stale session if checkrad does not see a double login. Default: `yes`.

##### `sqltrace`

Print all SQL statements when in debug mode (-x). Default: `no`.

##### `sqltracefile`

Location for SQL statements to be stored if `$sqltrace = yes`. Default:
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1388
`${logdir}/sqllog.sql`
1389
1390
1391
1392
1393
1394
1395
1396
1397

##### `connect_failure_retry_delay`

Number of seconds to dely retrying on a failed database connection (per socket). Default: `60`.

##### `nas_table`

Table to keep radius client info. Default: `nas`.

Angel L. Mateo's avatar
Angel L. Mateo committed
1398
##### `readclients`
1399
1400
1401

Set to `yes` to read radius clients from the database (`$nas_table`) Clients will ONLY be read on server startup. For performance
and security reasons, finding clients via SQL queries CANNOT be done "live" while the server is running. Default: `no`.
1402

1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
##### `pool_start`

Connections to create during module instantiation. Default: 1.

##### `pool_min`

Minimum number of connnections to keep open. Default: 1.

##### `pool_spare`

Spare connections to be left idle. Default: 1.

##### `pool_idle_timeout`

Idle timeout (in seconds). A connection which is unused for this length of time will
be closed. Default: 60.

##### `pool_connect_timeout`

Connection timeout (in seconds). The maximum amount of time to wait for a new
connection to be established. Default: '3.0'.

1425
1426
1427
1428
1429
#### `freeradius::statusclient`

Define RADIUS clients, specifically to connect to the status server for monitoring.
Very similar usage to `freeradius::client` but with fewer options.

1430
##### `ip`
1431
Default: `undef`. The IP address of the client in CIDR format.  For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
1432
1433

##### `ip6`
1434
Default: `undef`. The IPv6 address of the client in CIDR format. `ip` and `ip6` are mutually exclusive but one must be supplied.
1435
1436
1437
1438
1439
1440
1441
1442
1443

##### `secret`
required. The RADIUS shared secret used for communication between the client/NAS and the RADIUS server.

##### `port`
Default: `undef`. The UDP port that this virtual server should listen on. Leave blank if this client is not tied to a virtual server.

##### `shortname`
required. A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section.
1444

1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
#### `freeradius::template`

Define template items that can be referred to in other config items

##### `source`

Provide source to a file with the template item. Specify only one of `source` or `content`.

##### `content`

Provide content of template item. Specify only one of `source` or `content`.
1456

1457
1458
1459
1460
1461
1462
#### `freeradius::virtual_module`

Define a virtual module which consists of one or more other modules, for failover or
load-balancing purposes.

##### `submodules`
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1463
1464
1465

Provide an array of submodules which will be loaded into this virtual module. Required.

1466
1467
##### `type`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1468
1469
1470
1471
1472
Select the type of virtual module from `redundant`, `load-balance`, `redundant-load-balance`
or `group`. See [virtual modules](http://wiki.freeradius.org/config/Fail-over#virtual-modules)
and [load-balancing](http://wiki.freeradius.org/config/load-balancing) for more details.


1473
```puppet
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1474
# Load virtual module myldap
1475
1476
1477
1478
1479
1480
freeradius::virtual_module { 'myldap':
  submodules => ['ldap1', 'ldap2'],
  type       => 'redundant-load-balance',
}
```

1481
1482
## Limitations

1483
1484
1485
1486
This module is targeted at FreeRADIUS 3.x running on CentOS 7. It will not work on
FreeRADIUS 2.x. It has not been thoroughly tested on other distributions, but
might work. Likely sticking points with other distros are the names of packages,
services and file paths.
1487
1488
1489

This module was written for use with Puppet 3.6 and 3.7, but should be quite agnostic
to new versions of Puppet.
1490
1491
1492

## Development

1493
1494
1495
1496
This module was written primarily for internal use - features we haven't needed to
use probably haven't been written. Please send pull requests with new features and
bug fixes. You are also welcome to file issues but I make no guarantees of
development effort if the features aren't useful to my employer.
1497

1498
## Release Notes
1499

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1500
1501
1502
### 2.3.1
  * Fix bug with log rotation throwing errors when radiusd is not running

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1503
1504
1505
### 2.3.0
  * Add support to configure virtual modules for fail-over and load-balancing

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1506
1507
1508
### 2.2.0
  * Add support to configure the krb5 module

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1509
1510
1511
### 2.1.4
  * Fix compatibility with Puppet 4

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1512
1513
1514
### 2.1.3
  * Fix compatibility with Puppet 4

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1515
1516
1517
### 2.1.2
  * Write out ldap config with different syntax for FreeRADIUS 3.0.x and 3.1.x when using multiple servers

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1518
1519
1520
1521
### 2.1.1

  * Fix bug with the facts not reporting version numbers accurately

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1522
1523
1524
1525
### 2.1.0

  * Various changes to preserve stock modules in a FreeRADIUS installation and be able to toggle them

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1526
1527
1528
1529
1530
1531
1532
1533
### 2.0.1

  * Fix up LDAP template to allow better compatibility with FreeRADIUS 3.1.x

### 2.0.0

  * Drop support for FreeRADIUS 2.x, enabling us to keep the codebase tidier

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1534
1535
1536
1537
### 1.3.0

  * Add support for defining config templates

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1538
1539
1540
1541
### 1.2.6

  * Fix a bug that now enables sqltrace (sqllog) to work on FR3

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1542
1543
1544
1545
### 1.2.5

  * Switch to use [saz/rsyslog](https://forge.puppetlabs.com/saz/rsyslog) to manage syslog rules

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1546
1547
1548
1549
### 1.2.4

  * Start with just 1 SQL socket by default to avoid overloading the SQL server

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1550
1551
1552
1553
### 1.2.3

  * Make facts fail gracefully if radiusd is not installed

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1554
1555
1556
1557
### 1.2.2

  * Fix a bug that stops statusclients from working

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1558
1559
1560
1561
### 1.2.1

  * Fix a bug that prevent 1.2.0 from working on FreeRADIUS 2

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1562
1563
1564
1565
### 1.2.0

 * Deprecate `netmask` parameter from `freeradius::client`

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1566
1567
1568
1569
### 1.1.0

 * Add support to supply an array of multiple LDAP servers

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1570
1571
1572
1573
### 1.0.4

 * Make an educated guess about the version of FR when the fact is unavailable (e.g. on the first Puppet run)

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1574
1575
1576
1577
### 1.0.3

 * Iron out a couple of issues with LDAP compatibility with Active Directory

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1578
1579
1580
1581
### 1.0.2

 * Fixed a bug that prevented LDAP from working on any port except 389

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1582
1583
1584
1585
### 1.0.1

 * Fixed a bug that caused an error when no proxy config items were defined

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
### 1.0.0

 * Support for FreeRADIUS 3
 * Native support for managing the LDAP module
 * Native support for configuring realms (via realms, home_server and home_server_pool)
 * Improved handling of attribute filtering
 * Improved handling of SQL support

This release retains support for FreeRADIUS 2 but some of the parameters have changed so you will probably need to make changes to the way you use this module. Upgrade on a dev system first!

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1596
1597
1598
1599
### 0.4.5

 * Tweak wildcard matching on logrotate config

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1600
1601
1602
1603
### 0.4.4

 * Fix bug displaying deprecation notice and update documentation to reflect this

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1604
1605
1606
1607
### 0.4.3

 * Manage log rotation with [rodjek/logrotate](https://forge.puppetlabs.com/rodjek/logrotate) instead of deploying flat files

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1608
1609
1610
1611
### 0.4.2

 * Provide new SQL option custom_query_file

1612
1613
1614
1615
1616
### 0.4.1

 * Cease management of custom logging modules `logtofile` and `logtosyslog` since it does not make sense to manage these globally 
 * Purge instantiation of unused modules

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1617
1618
1619
1620
### 0.4.0

 * Move control_socket into its own class and add parameters
 * Improve the way the status_server is added or removed
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1621
 * Delete all unmanaged sites from sites-available
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1622

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1623
1624
1625
1626
### 0.3.8

 * Purge all non-managed sites

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1627
1628
1629
1630
1631
### 0.3.7

 * Minor linting of code to improve score
 * Minor linting of metadata to improve score

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1632
1633
1634
1635
### 0.3.6

 * Bugfixes and feature improvements in `freeradius::sql`

1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
### 0.3.5

 * Add ability to customise SQL socket lifetimes
 * Purge all non-managed clients
 * Add defined type to blank out unneeded config files without deleting them

### 0.3.4

 * Correctly pass template content to control-socket

### 0.3.3

 * The default behaviour is now to purge anything in ${confdir}/certs that is not managed by Puppet

### 0.3.2

 * Various improvements to support Debian family
 * Optional content parameters in various resources

### 0.3.1

 * Fix a bug which prevents the module from working properly on Debian/Ubuntu (thanks @diranged)

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1659
1660
1661
1662
### 0.3.0

 * Add `ensure` parameter to all defined types

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1663
1664
1665
1666
### 0.2.0

 * Add support for customising `sql.conf` natively by adding `freeradius::sql`

1667
1668
1669
1670
### 0.1.4

 * Fix ambiguity about net/netmask in freeradius::client

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1671
1672
1673
1674
1675
1676
1677
### 0.1.3

 * Add support for managing firewall rules automatically
 * Add support for installation certificates & keys
 * Make syslog support an optional component
 * Various bugfixes

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1678
1679
1680
1681
1682
1683
1684
### 0.1.2

 * Improved modular installs with optional components
 * Improved support for Debian
 * Clarify dependencies on other modules
 * Lots of bugfixes

Jonathan Gazeley's avatar
Jonathan Gazeley committed
1685
1686
1687
1688
1689
### 0.1.0

 * Initial release with support for installing FreeRADIUS and configuring servers, modules, clients and other objects using flat files.
 * Probably works only with FreeRADIUS 2.x
 * Only tested with CentOS 6
Jonathan Gazeley's avatar
Jonathan Gazeley committed
1690