Commit 20965fad authored by Jonathan's avatar Jonathan Committed by GitHub
Browse files

Merge pull request #57 from amateo/feature/modules

Add support to configure linelog and detail modules
parents bc0a7015 6cb974a2
# == Define: freeradius::module::detail
#
define freeradius::module::detail (
Enum['present','absent'] $ensure = 'present',
String $filename = "\${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d",
Freeradius::Boolean $escape_filenames = 'no',
String $permissions = '0600',
Optional[String] $group = undef,
String $header = '%t',
Optional[Freeradius::Boolean] $locking = undef,
Optional[Freeradius::Boolean] $log_packet_header = undef,
Array[String] $suppress = [],
) {
if $suppress {
validate_array($suppress)
}
freeradius::module {"detail.${name}":
ensure => $ensure,
content => template('freeradius/detail.erb'),
}
}
# == Define: freeradius::module::ippool
#
define freeradius::module::ippool (
String $range_start,
String $range_stop,
String $netmask,
$ensure = 'present',
Optional[Integer] $cache_size = undef,
String $filename = "\${db_dir}/db.${name}",
String $ip_index = "\${db_dir}/db.${name}.index",
Freeradius::Boolean $override = 'no',
Integer $maximum_timeout = 0,
Optional[String] $key = undef,
) {
freeradius::module { "ippool_${name}":
ensure => $ensure,
content => template('freeradius/ippool.erb'),
}
}
# == Define freeradius::module::linelog
#
# Specific define to configure linelog module
#
define freeradius::module::linelog (
Enum['present','absent'] $ensure = 'present',
String $filename = "\${logdir}/linelog",
Freeradius::Boolean $escape_filenames = 'no',
String $permissions = '0600',
Optional[String] $group = undef,
Optional[String] $syslog_facility = undef,
Optional[String] $syslog_severity = undef,
String $format = 'This is a log message for %{User-Name}',
String $reference = 'messages.%{%{reply:Packet-Type}:-default}',
Array[String] $messages = [],
Array[String] $accounting_request = [],
) {
freeradius::module { "linelog_${name}":
ensure => $ensure,
content => template('freeradius/linelog.erb'),
}
}
# File managed by puppet
##############################################################
# Write a detailed log of all accounting records received.
#
detail <%= @name %> {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
filename = <%= @filename %>
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = <%= @permissions %>
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
<%- if @group -%>
group = <%= @group %>
<%- end -%>
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "<%= @header %>"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
<%- if @locking -%>
locking = <%= @locking == true %>
<%- end -%>
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
<%- if @log_packet_header -%>
log_packet_header = <%= @log_packet_header == true %>
<%- end -%>
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
<%- if !@suppress.empty? -%>
suppress {
<%= @suppress.join("\n ") %>
}
<%- end -%>
}
<%- require 'ipaddr' -%>
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
# The module also requires the existence of the Pool-Name
# attribute. That way the administrator can add the Pool-Name
# attribute in the user profiles and use different pools for
# different users. The Pool-Name attribute is a *check* item
# not a reply item.
#
# The Pool-Name should be set to the ippool module instance
# name or to DEFAULT to match any module.
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool <%= @name %> {
# The main db file used to allocate addresses.
filename = <%= @filename %>
# The start and end ip addresses for this pool.
range_start = <%= @range_start %>
range_stop = <%= @range_stop %>
# The network mask used for this pool.
netmask = <%= @netmask %>
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
<%- if @cache_size -%>
cache_size = <%= @cache_size %>
<%- else -%>
cache_size = <%= (IPAddr.new @range_stop).to_i() - (IPAddr.new @range_start).to_i() + 1 %>
<%- end -%>
# Helper db index file used in multilink
<%- if @ip_index -%>
ip_index = <%= @ip_index %>
<%- else -%>
ip_index = ${db_dir}/db.<%= @name %>.index
<%- end -%>
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = <%= @override %>
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = <%= @maximum_timeout %>
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
<%- if @key -%>
key = "<%= @key %>"
<%- end -%>
}
# This file is managed by Puppet. DO NOT EDIT.
#
#
# The "linelog" module will log one line of text to a file.
# Both the filename and the line of text are dynamically expanded.
#
# We STRONGLY suggest that you do not use data from the
# packet as part of the filename.
#
<%- if @name == 'default' -%>
linelog {
<%- else -%>
linelog <%= @name %> {
<%- end -%>
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = <%= @filename %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = <%= @permissions %>
#
# The Unix group which owns the log file.
#
# The user that freeradius runs as must be in the specified
# group, otherwise it will not be possible to set the group.
#
# group = ${security.group}
<%- if @group -%>
group = <%= @group %>
<%- end -%>
# Syslog facility (if logging via syslog).
# Defaults to the syslog_facility config item in radiusd.conf.
# Standard facilities are:
# - kern Messages generated by the kernel. These cannot
# be generated by any user processes.
# - user Messages generated by random user processes.
# This is the default facility identifier if
# none is specified.
# - mail The mail system.
# - daemon System daemons, such as routed(8), that are not
# provided for explicitly by other facilities.
# - auth The authorization system: login(1), su(1),
# getty(8), etc.
# - lpr The line printer spooling system: cups-lpd(8),
# cupsd(8), etc.
# - news The network news system.
# - uucp The uucp system.
# - cron The cron daemon: cron(8).
# - authpriv The same as LOG_AUTH, but logged to a file
# readable only by selected individuals.
# - ftp The file transfer protocol daemons: ftpd(8),
# tftpd(8).
# - local[0-7] Reserved for local use.
# syslog_facility = daemon
<%- if @syslog_facility -%>
syslog_facility = <%= @syslog_facility %>
<%- end -%>
# Syslog severity (if logging via syslog). Defaults to info.
# Possible values are:
# - emergency A panic condition. This is normally broadcast
# to all users.
# - alert A condition that should be corrected immediately,
# such as a corrupted system database.
# - critical Critical conditions, e.g., hard device errors.
# - error Errors.
# - warning Warning messages.
# - notice Conditions that are not error conditions, but
# should possibly be handled specially.
# - info Informational messages.
# - debug Messages that contain information normally of use
# only when debugging a program.
# syslog_severity = info
<%- if @syslog_severity -%>
syslog_severity = <%= @syslog_severity %>
<%- end -%>
#
# The default format string.
format = "<%= @format %>"
#
# This next line can be omitted. If it is omitted, then
# the log message is static, and is always given by "format",
# above.
#
# If it is defined, then the string is dynamically expanded,
# and the result is used to find another configuration entry
# here, with the given name. That name is then used as the
# format string.
#
# If the configuration entry cannot be found, then no log
# message is printed.
#
# i.e. You can have many log messages in one "linelog" module.
# If this two-step expansion did not exist, you would have
# needed to configure one "linelog" module for each log message.
#
# Reference the Packet-Type (Access-Request, etc.) If it doesn't
# exist, reference the "format" entry, above.
reference = "<%= @reference %>"
#
# The messages defined here are taken from the "reference"
# expansion, above.
#
# messages {
# default = "Unknown packet type %{Packet-Type}"
#
# Access-Request = "Requested access: %{User-Name}"
# Access-Reject = "Rejected access: %{User-Name}"
# Access-Challenge = "Sent challenge: %{User-Name}"
# }
<%- if !@messages.empty? -%>
messages {
<%= @messages.join("\n ") %>
}
<%- end -%>
#
# Another example:
#
#
# Accounting-Request {
# Start = "Connect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address})"
# Stop = "Disconnect: [%{User-Name}] (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} ip %{Framed-IP-Address}) %{Acct-Session-Time} seconds"
#
# # Don't log anything for these packets.
# Alive = ""
#
# Accounting-On = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just came online"
# Accounting-Off = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) just went offline"
#
# # don't log anything for other Acct-Status-Types.
# unknown = "NAS %{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}} (%{%{NAS-IP-Address}:-%{NAS-IPv6-Address}}) sent unknown Acct-Status-Type %{Acct-Status-Type}"
# }
<%- if !@accounting_request.empty? -%>
Accounting-Request {
<%= @accounting_request.join("\n ")%>
}
<%- end -%>
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment