Commit 02926bdd authored by Michael Robbert's avatar Michael Robbert
Browse files

Add support to configure the krb5 module

parent 7ee04227
......@@ -20,6 +20,7 @@
* [`freeradius::home_server_pool`](#freeradiushomeserverpool)
* [`freeradius::instantiate`](#freeradiusinstantiate)
* [`freeradius::ldap`](#freeradiusldap)
* [`freeradius::krb5`](#freeradiuskrb5)
* [`freeradius::module`](#freeradiusmodule)
* [`freeradius::policy`](#freeradiuspolicy)
* [`freeradius::realm`](#freeradiusrealm)
......@@ -96,6 +97,9 @@ Install FreeRADIUS utils. Default: `false`
##### `ldap_support`
Install support for LDAP. Default: `false`
##### `krb5_support`
Install support for Kerberos. Default: `false`
##### `wpa_supplicant`
Install wpa_supplicant utility. Default: `false`
......@@ -467,6 +471,28 @@ Certificate Verification requirements. Choose from:
Default: `allow`
#### `freeradius::krb5`
Configure Kerberos support for FreeRADIUS
##### `keytab`
Full path to the Kerberos keytab file
##### `principal`
Name of the service principal
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. Default: `${thread[pool].start_servers}`
##### `min`
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`
##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`
##### `spare`
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
#### `freeradius::module`
......
......@@ -7,6 +7,7 @@ class freeradius (
$perl_support = false,
$utils_support = false,
$ldap_support = false,
$krb5_support = false,
$wpa_supplicant = false,
$winbind_support = false,
$syslog = false,
......@@ -218,6 +219,11 @@ class freeradius (
ensure => installed,
}
}
if $krb5_support {
package { 'freeradius-krb5':
ensure => installed,
}
}
if $wpa_supplicant {
package { 'wpa_supplicant':
ensure => installed,
......
# Configure Kerberos support for FreeRADIUS
define freeradius::krb5 (
$keytab,
$principal,
$start = '${thread[pool].start_servers}',
$min = '${thread[pool].min_spare_servers}',
$max = '${thread[pool].max_servers}',
$spare = '${thread[pool].max_spare_servers}',
$ensure = 'present',
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_modulepath = $::freeradius::params::fr_modulepath
$fr_group = $::freeradius::params::fr_group
# Generate a module config
file { "${fr_modulepath}/${name}":
ensure => $ensure,
mode => '0640',
owner => 'root',
group => $fr_group,
content => template('freeradius/krb5.erb'),
require => [Package[$fr_package], Group[$fr_group]],
notify => Service[$fr_service],
}
}
......@@ -28,6 +28,7 @@ describe 'freeradius' do
#:perl_support => false,
#:utils_support => false,
#:ldap_support => false,
#:krb5_support => false,
#:wpa_supplicant => false,
#:winbind_support => false,
#:syslog => false,
......@@ -332,6 +333,12 @@ describe 'freeradius' do
'ensure' => 'installed'
)
end
it do
is_expected.to contain_package('freeradius-krb5')
.with(
'ensure' => 'installed'
)
end
it do
is_expected.to contain_package('wpa_supplicant')
.with(
......
require 'spec_helper'
require 'shared_contexts'
describe 'freeradius::krb5' do
# by default the hiera integration uses hiera data from the shared_contexts.rb file
# but basically to mock hiera you first need to add a key/value pair
# to the specific context in the spec/shared_contexts.rb file
# Note: you can only use a single hiera context per describe/context block
# rspec-puppet does not allow you to swap out hiera data on a per test block
#include_context :hiera
let(:title) { 'XXreplace_meXX' }
# below is the facts hash that gives you the ability to mock
# facts on a per describe/context block. If you use a fact in your
# manifest you should mock the facts below.
let(:facts) do
{}
end
# below is a list of the resource parameters that you can override.
# By default all non-required parameters are commented out,
# while all required parameters will require you to add a value
let(:params) do
{
:keytab => 'place_value_here',
:principal => 'place_value_here',
#:start => "${thread[pool].start_servers}",
#:min => "${thread[pool].min_spare_servers}",
#:max => "${thread[pool].max_servers}",
#:spare => "${thread[pool].max_spare_servers}",
#:ensure => "present",
}
end
# add these two lines in a single test block to enable puppet and hiera debug mode
# Puppet::Util::Log.level = :debug
# Puppet::Util::Log.newdestination(:console)
it do
is_expected.to contain_file('$::osfamily ? { RedHat => /etc/raddb, Debian => /etc/freeradius, default => /etc/raddb }/$fr_version ? { 2 => modules, 3 => mods-enabled, default => modules }/XXreplace_meXX')
.with(
'content' => 'template(freeradius/krb5.erb)',
'ensure' => 'present',
'group' => '$::osfamily ? { RedHat => radiusd, Debian => freerad, default => radiusd }',
'mode' => '0640',
'notify' => 'Service[$fr_service]',
'owner' => 'root',
'require' => '[Package[$fr_package], Group[$fr_group]]'
)
end
end
......@@ -11,6 +11,7 @@ shared_context :global_hiera_data do
#"freeradius::control_socket" => '',
#"freeradius::control_socket::mode" => '',
#"freeradius::ldap_support" => '',
#"freeradius::krb5_support" => '',
#"freeradius::max_requests" => '',
#"freeradius::max_servers" => '',
#"freeradius::mysql_support" => '',
......
# -*- text -*-
#
# $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 <%= @name %> {
keytab = <%= @keytab %>
service_principal = <%= @principal %>
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Number of connections to start
start = <%= @start %>
# Minimum number of connections to keep open
min = <%= @min %>
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# NOTE: This should be greater than or equal to "min" above.
max = <%= @max %>
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = <%= @spare %>
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment