Skip to content
Snippets Groups Projects
Commit 02926bdd authored by Michael Robbert's avatar Michael Robbert
Browse files

Add support to configure the krb5 module

parent 7ee04227
No related branches found
No related tags found
No related merge requests found
......@@ -20,6 +20,7 @@
* [`freeradius::home_server_pool`](#freeradiushomeserverpool)
* [`freeradius::instantiate`](#freeradiusinstantiate)
* [`freeradius::ldap`](#freeradiusldap)
* [`freeradius::krb5`](#freeradiuskrb5)
* [`freeradius::module`](#freeradiusmodule)
* [`freeradius::policy`](#freeradiuspolicy)
* [`freeradius::realm`](#freeradiusrealm)
......@@ -96,6 +97,9 @@ Install FreeRADIUS utils. Default: `false`
##### `ldap_support`
Install support for LDAP. Default: `false`
##### `krb5_support`
Install support for Kerberos. Default: `false`
##### `wpa_supplicant`
Install wpa_supplicant utility. Default: `false`
......@@ -467,6 +471,28 @@ Certificate Verification requirements. Choose from:
Default: `allow`
#### `freeradius::krb5`
Configure Kerberos support for FreeRADIUS
##### `keytab`
Full path to the Kerberos keytab file
##### `principal`
Name of the service principal
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. Default: `${thread[pool].start_servers}`
##### `min`
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`
##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`
##### `spare`
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
#### `freeradius::module`
......
......@@ -7,6 +7,7 @@ class freeradius (
$perl_support = false,
$utils_support = false,
$ldap_support = false,
$krb5_support = false,
$wpa_supplicant = false,
$winbind_support = false,
$syslog = false,
......@@ -218,6 +219,11 @@ class freeradius (
ensure => installed,
}
}
if $krb5_support {
package { 'freeradius-krb5':
ensure => installed,
}
}
if $wpa_supplicant {
package { 'wpa_supplicant':
ensure => installed,
......
# Configure Kerberos support for FreeRADIUS
define freeradius::krb5 (
$keytab,
$principal,
$start = '${thread[pool].start_servers}',
$min = '${thread[pool].min_spare_servers}',
$max = '${thread[pool].max_servers}',
$spare = '${thread[pool].max_spare_servers}',
$ensure = 'present',
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_modulepath = $::freeradius::params::fr_modulepath
$fr_group = $::freeradius::params::fr_group
# Generate a module config
file { "${fr_modulepath}/${name}":
ensure => $ensure,
mode => '0640',
owner => 'root',
group => $fr_group,
content => template('freeradius/krb5.erb'),
require => [Package[$fr_package], Group[$fr_group]],
notify => Service[$fr_service],
}
}
......@@ -28,6 +28,7 @@ describe 'freeradius' do
#:perl_support => false,
#:utils_support => false,
#:ldap_support => false,
#:krb5_support => false,
#:wpa_supplicant => false,
#:winbind_support => false,
#:syslog => false,
......@@ -332,6 +333,12 @@ describe 'freeradius' do
'ensure' => 'installed'
)
end
it do
is_expected.to contain_package('freeradius-krb5')
.with(
'ensure' => 'installed'
)
end
it do
is_expected.to contain_package('wpa_supplicant')
.with(
......
require 'spec_helper'
require 'shared_contexts'
describe 'freeradius::krb5' do
# by default the hiera integration uses hiera data from the shared_contexts.rb file
# but basically to mock hiera you first need to add a key/value pair
# to the specific context in the spec/shared_contexts.rb file
# Note: you can only use a single hiera context per describe/context block
# rspec-puppet does not allow you to swap out hiera data on a per test block
#include_context :hiera
let(:title) { 'XXreplace_meXX' }
# below is the facts hash that gives you the ability to mock
# facts on a per describe/context block. If you use a fact in your
# manifest you should mock the facts below.
let(:facts) do
{}
end
# below is a list of the resource parameters that you can override.
# By default all non-required parameters are commented out,
# while all required parameters will require you to add a value
let(:params) do
{
:keytab => 'place_value_here',
:principal => 'place_value_here',
#:start => "${thread[pool].start_servers}",
#:min => "${thread[pool].min_spare_servers}",
#:max => "${thread[pool].max_servers}",
#:spare => "${thread[pool].max_spare_servers}",
#:ensure => "present",
}
end
# add these two lines in a single test block to enable puppet and hiera debug mode
# Puppet::Util::Log.level = :debug
# Puppet::Util::Log.newdestination(:console)
it do
is_expected.to contain_file('$::osfamily ? { RedHat => /etc/raddb, Debian => /etc/freeradius, default => /etc/raddb }/$fr_version ? { 2 => modules, 3 => mods-enabled, default => modules }/XXreplace_meXX')
.with(
'content' => 'template(freeradius/krb5.erb)',
'ensure' => 'present',
'group' => '$::osfamily ? { RedHat => radiusd, Debian => freerad, default => radiusd }',
'mode' => '0640',
'notify' => 'Service[$fr_service]',
'owner' => 'root',
'require' => '[Package[$fr_package], Group[$fr_group]]'
)
end
end
......@@ -11,6 +11,7 @@ shared_context :global_hiera_data do
#"freeradius::control_socket" => '',
#"freeradius::control_socket::mode" => '',
#"freeradius::ldap_support" => '',
#"freeradius::krb5_support" => '',
#"freeradius::max_requests" => '',
#"freeradius::max_servers" => '',
#"freeradius::mysql_support" => '',
......
# -*- text -*-
#
# $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 <%= @name %> {
keytab = <%= @keytab %>
service_principal = <%= @principal %>
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Number of connections to start
start = <%= @start %>
# Minimum number of connections to keep open
min = <%= @min %>
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# NOTE: This should be greater than or equal to "min" above.
max = <%= @max %>
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
spare = <%= @spare %>
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment