Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Projets publics
puppet-freeradius
Commits
02926bdd
Commit
02926bdd
authored
Jun 21, 2016
by
Michael Robbert
Browse files
Add support to configure the krb5 module
parent
7ee04227
Changes
7
Hide whitespace changes
Inline
Side-by-side
README.md
View file @
02926bdd
...
...
@@ -20,6 +20,7 @@
*
[
`freeradius::home_server_pool`
](
#freeradiushomeserverpool
)
*
[
`freeradius::instantiate`
](
#freeradiusinstantiate
)
*
[
`freeradius::ldap`
](
#freeradiusldap
)
*
[
`freeradius::krb5`
](
#freeradiuskrb5
)
*
[
`freeradius::module`
](
#freeradiusmodule
)
*
[
`freeradius::policy`
](
#freeradiuspolicy
)
*
[
`freeradius::realm`
](
#freeradiusrealm
)
...
...
@@ -96,6 +97,9 @@ Install FreeRADIUS utils. Default: `false`
##### `ldap_support`
Install support for LDAP. Default:
`false`
##### `krb5_support`
Install support for Kerberos. Default:
`false`
##### `wpa_supplicant`
Install wpa_supplicant utility. Default:
`false`
...
...
@@ -467,6 +471,28 @@ Certificate Verification requirements. Choose from:
Default:
`allow`
#### `freeradius::krb5`
Configure Kerberos support for FreeRADIUS
##### `keytab`
Full path to the Kerberos keytab file
##### `principal`
Name of the service principal
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. Default:
`${thread[pool].start_servers}`
##### `min`
Minimum number of connections to keep open. Default:
`${thread[pool].min_spare_servers}`
##### `max`
Maximum number of connections. Default:
`${thread[pool].max_servers}`
##### `spare`
Spare connections to be left idle. Default:
`${thread[pool].max_spare_servers}`
#### `freeradius::module`
...
...
manifests/init.pp
View file @
02926bdd
...
...
@@ -7,6 +7,7 @@ class freeradius (
$perl_support
=
false
,
$utils_support
=
false
,
$ldap_support
=
false
,
$krb5_support
=
false
,
$wpa_supplicant
=
false
,
$winbind_support
=
false
,
$syslog
=
false
,
...
...
@@ -218,6 +219,11 @@ class freeradius (
ensure
=>
installed
,
}
}
if
$krb5_support
{
package
{
'freeradius-krb5'
:
ensure
=>
installed
,
}
}
if
$wpa_supplicant
{
package
{
'wpa_supplicant'
:
ensure
=>
installed
,
...
...
manifests/krb5.pp
0 → 100644
View file @
02926bdd
# Configure Kerberos support for FreeRADIUS
define
freeradius::krb5
(
$keytab
,
$principal
,
$start
=
'${thread[pool].start_servers}'
,
$min
=
'${thread[pool].min_spare_servers}'
,
$max
=
'${thread[pool].max_servers}'
,
$spare
=
'${thread[pool].max_spare_servers}'
,
$ensure
=
'present'
,
)
{
$fr_package
=
$::freeradius::params::fr_package
$fr_service
=
$::freeradius::params::fr_service
$fr_modulepath
=
$::freeradius::params::fr_modulepath
$fr_group
=
$::freeradius::params::fr_group
# Generate a module config
file
{
"
${fr_modulepath}
/
${name}
"
:
ensure
=>
$ensure
,
mode
=>
'0640'
,
owner
=>
'root'
,
group
=>
$fr_group
,
content
=>
template
(
'freeradius/krb5.erb'
),
require
=>
[
Package
[
$fr_package
],
Group
[
$fr_group
]],
notify
=>
Service
[
$fr_service
],
}
}
spec/classes/freeradius_spec.rb
View file @
02926bdd
...
...
@@ -28,6 +28,7 @@ describe 'freeradius' do
#:perl_support => false,
#:utils_support => false,
#:ldap_support => false,
#:krb5_support => false,
#:wpa_supplicant => false,
#:winbind_support => false,
#:syslog => false,
...
...
@@ -332,6 +333,12 @@ describe 'freeradius' do
'ensure'
=>
'installed'
)
end
it
do
is_expected
.
to
contain_package
(
'freeradius-krb5'
)
.
with
(
'ensure'
=>
'installed'
)
end
it
do
is_expected
.
to
contain_package
(
'wpa_supplicant'
)
.
with
(
...
...
spec/defines/krb5_spec.rb
0 → 100644
View file @
02926bdd
require
'spec_helper'
require
'shared_contexts'
describe
'freeradius::krb5'
do
# by default the hiera integration uses hiera data from the shared_contexts.rb file
# but basically to mock hiera you first need to add a key/value pair
# to the specific context in the spec/shared_contexts.rb file
# Note: you can only use a single hiera context per describe/context block
# rspec-puppet does not allow you to swap out hiera data on a per test block
#include_context :hiera
let
(
:title
)
{
'XXreplace_meXX'
}
# below is the facts hash that gives you the ability to mock
# facts on a per describe/context block. If you use a fact in your
# manifest you should mock the facts below.
let
(
:facts
)
do
{}
end
# below is a list of the resource parameters that you can override.
# By default all non-required parameters are commented out,
# while all required parameters will require you to add a value
let
(
:params
)
do
{
:keytab
=>
'place_value_here'
,
:principal
=>
'place_value_here'
,
#:start => "${thread[pool].start_servers}",
#:min => "${thread[pool].min_spare_servers}",
#:max => "${thread[pool].max_servers}",
#:spare => "${thread[pool].max_spare_servers}",
#:ensure => "present",
}
end
# add these two lines in a single test block to enable puppet and hiera debug mode
# Puppet::Util::Log.level = :debug
# Puppet::Util::Log.newdestination(:console)
it
do
is_expected
.
to
contain_file
(
'$::osfamily ? { RedHat => /etc/raddb, Debian => /etc/freeradius, default => /etc/raddb }/$fr_version ? { 2 => modules, 3 => mods-enabled, default => modules }/XXreplace_meXX'
)
.
with
(
'content'
=>
'template(freeradius/krb5.erb)'
,
'ensure'
=>
'present'
,
'group'
=>
'$::osfamily ? { RedHat => radiusd, Debian => freerad, default => radiusd }'
,
'mode'
=>
'0640'
,
'notify'
=>
'Service[$fr_service]'
,
'owner'
=>
'root'
,
'require'
=>
'[Package[$fr_package], Group[$fr_group]]'
)
end
end
spec/shared_contexts.rb
View file @
02926bdd
...
...
@@ -11,6 +11,7 @@ shared_context :global_hiera_data do
#"freeradius::control_socket" => '',
#"freeradius::control_socket::mode" => '',
#"freeradius::ldap_support" => '',
#"freeradius::krb5_support" => '',
#"freeradius::max_requests" => '',
#"freeradius::max_servers" => '',
#"freeradius::mysql_support" => '',
...
...
templates/krb5.erb
0 → 100644
View file @
02926bdd
# -*- text -*-
#
# $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5
<%=
@name
%>
{
keytab =
<%=
@keytab
%>
service_principal =
<%=
@principal
%>
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Number of connections to start
start =
<%=
@start
%>
# Minimum number of connections to keep open
min =
<%=
@min
%>
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# NOTE: This should be greater than or equal to "min" above.
max =
<%=
@max
%>
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare =
<%=
@spare
%>
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment