Commit 2772d132 authored by Nathan Ward's avatar Nathan Ward
Browse files

Make some LDAP parameters conditional around FreeRADIUS v3.1.x

Impacted params:
- connect_timeout
- session_tracking
- use_referral_credentials

Only set each of these params in the config if:
- it is intentionally set in the params, or
- we are on FR3.1.x, in which case set the default of 3.0

If they are set in the params, and we detect we are NOT on FR3.1.x, then warn

Additionally, move the LDAP module tests to the module directory
parent 70d6c690
......@@ -46,7 +46,7 @@
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
but should work on other distributions.
but should work on other distributions.
This module requires Puppet 4.0.0 or greater. Puppet 3.x was
[discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
......@@ -444,7 +444,7 @@ be "acct", or they all have to be "auth+acct".
The type of this pool controls how home servers are chosen.
* `fail-over` the request is sent to the first live home server in the list. i.e. If the first home server is marked "dead", the second one is chosen, etc.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.
......@@ -634,9 +634,11 @@ With `chase_referrals` control whether the server follows references returned by
##### `use_referral_credentials`
On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `session_tracking`
If `yes`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `uses`
How many times the connection can be used before being re-established. This is useful for things
......@@ -653,6 +655,7 @@ Idle timeout (in seconds). A connection which is unused for this length of time
##### `connect_timeout`
Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `idle`
Sets the idle time before keepalive probes are sent. Default `60`
......@@ -1415,7 +1418,7 @@ Default: `radius`. Name of the database. Normally you should leave this alone. I
##### `num_sql_socks`
Default: same as `max_servers`. Number of sql connections to make to the database server.
Default: same as `max_servers`. Number of sql connections to make to the database server.
Setting this to LESS than the number of threads means that some threads may starve, and
you will see errors like "No connections available and at max connection limit". Setting
this to MORE than the number of threads means that there are more connections than necessary.
......
......@@ -38,7 +38,7 @@ define freeradius::module::ldap (
Optional[Enum['never','searching','finding','always']] $dereference = undef,
Freeradius::Boolean $chase_referrals = 'yes',
Freeradius::Boolean $rebind = 'yes',
Freeradius::Boolean $use_referral_credentials = 'no',
Optional[Freeradius::Boolean] $use_referral_credentials = undef,
Optional[Freeradius::Boolean] $session_tracking = undef,
Integer $timeout = 10,
Integer $timelimit = 3,
......@@ -61,7 +61,7 @@ define freeradius::module::ldap (
Integer $retry_delay = 30,
Integer $lifetime = 0,
Integer $idle_timeout = 60,
Float $connect_timeout = 3.0,
Optional[Float] $connect_timeout = undef,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......@@ -79,6 +79,79 @@ define freeradius::module::ldap (
default => $server,
}
# Warn if the user tries to set a FreeRADIUS 3.1.x specific parameter, and
# we detect that they are not on (or not installing) a FreeRADIUS 3.1.x
# then show them some errors
# Additionally, if we are on FreeRADIUS 3.1.x then allow defaults for some
# parameters, otherwise leave them set as specified when this define
# is called.
if $::freeradius::fr_3_1 {
if $connect_timeout != undef {
warning(@("WARN"/L)
The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`. \
In the future, attempting to set it on this version may fail.
|-WARN
)
}
if $session_tracking != undef {
warning(@("WARN"/L)
The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`. \
In the future, attempting to set it on this version may fail.
|-WARN
)
}
if $use_referral_credentials != undef {
warning(@("WARN"/L)
The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`. In the future, attempting to set \
it on this version may fail.
|-WARN
)
}
$resolved_connect_timeout = $connect_timeout ? {
undef => 3.0,
default => $connect_timeout,
}
$resolved_session_tracking = $session_tracking
$resolved_use_referral_credentials = $use_referral_credentials ? {
undef => 'no',
default => $use_referral_credentials,
}
} else {
if $connect_timeout != undef {
fail(@("FAIL"/L)
The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`.
|-FAIL
)
}
if $session_tracking != undef {
fail(@("FAIL"/L)
The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`.
|-FAIL
)
}
if $use_referral_credentials != undef {
fail(@("FAIL"/L)
The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`.
|-FAIL
)
}
}
# Generate a module config, based on ldap.conf
file { "${fr_basepath}/mods-available/${name}":
ensure => $ensure,
......
require 'spec_helper'
describe 'freeradius::ldap' do
include_context 'redhat_common_dependencies'
let(:title) { 'test' }
let(:params) do
{
identity: 'cn=root,dc=example,dc=com',
password: 'test password',
basedn: 'dc=example,dc=com',
server: ['localhost'],
}
end
let(:facts) do
{
freeradius_version: '3.0.21',
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^ldap test \{\n})
.with_content(%r{^\s+server = 'localhost'\n})
.with_content(%r{^\s+identity = 'cn=root,dc=example,dc=com'\n})
.with_content(%r{^\s+password = 'test password'\n})
.with_content(%r{^\s+base_dn = 'dc=example,dc=com'\n})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
.with_owner('root')
.that_notifies('Service[radiusd]')
.that_requires('Package[freeradius]')
.that_requires('Group[radiusd]')
end
it do
is_expected.to contain_file('/etc/raddb/mods-enabled/test')
.with_ensure('link')
.with_target('../mods-available/test')
end
end
require 'spec_helper'
describe 'freeradius::module::ldap' do
include_context 'redhat_common_dependencies'
let(:title) { 'test' }
let(:params) do
{
identity: 'cn=root,dc=example,dc=com',
password: 'test password',
basedn: 'dc=example,dc=com',
server: ['localhost'],
}
end
let(:facts) do
{
freeradius_version: '3.0.21',
}
end
let(:node_params) do
{
'freeradius::fr_3_1' => false,
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^ldap test \{\n})
.with_content(%r{^\s+server = 'localhost'\n})
.with_content(%r{^\s+identity = 'cn=root,dc=example,dc=com'\n})
.with_content(%r{^\s+password = 'test password'\n})
.with_content(%r{^\s+base_dn = 'dc=example,dc=com'\n})
.without_content(%r{^\s+connect_timeout = .*})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
.with_owner('root')
.that_notifies('Service[radiusd]')
.that_requires('Package[freeradius]')
.that_requires('Group[radiusd]')
end
it do
is_expected.to contain_file('/etc/raddb/mods-enabled/test')
.with_ensure('link')
.with_target('../mods-available/test')
end
context 'when freeradius::fr_3_1 is true' do
let(:facts) do
super().merge(
'freeradius_version' => '3.1.1',
)
end
let(:node_params) do
{
'freeradius::fr_3_1' => true,
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 3.0})
.with_content(%r{^\s+use_referral_credentials = no})
.without_content(%r{^\s+session_tracking = .*})
end
context 'with connect_timeout, session_tracking, and use_referral_credentials specified' do
let(:params) do
super().merge(
connect_timeout: 5.0,
session_tracking: 'yes',
use_referral_credentials: 'yes',
)
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 5.0})
.with_content(%r{^\s+use_referral_credentials = yes})
.with_content(%r{^\s+session_tracking = yes})
end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `connect_timeout` parameter requires FreeRADIUS 3.1.x})
# end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
# end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `session_tracking` parameter requires FreeRADIUS 3.1.x})
# end
end
end
# context 'with connect_timeout specified' do
# let(:params) do
# super().merge(
# connect_timeout: 5.0,
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The \`connect_timeout` parameter requires FreeRADIUS 3\.1\.x})
# end
# end
# context 'with session_tracking specified' do
# let(:params) do
# super().merge(
# session_tracking: 'yes',
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The `session_tracking` parameter requires FreeRADIUS 3.1.x})
# end
# end
# context 'with use_referral_credentials specified' do
# let(:params) do
# super().merge(
# use_referral_credentials: 'yes',
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
# end
# end
end
......@@ -602,14 +602,16 @@ ldap <%= @name %> {
chase_referrals = <%= @chase_referrals %>
rebind = <%= @rebind %>
<%- unless @resolved_use_referral_credentials.nil? -%>
#
# On rebind, use the credentials from the rebind url instead
# of admin credentials used during the initial bind.
# Default 'no'
#
use_referral_credentials = <%= @use_referral_credentials %>
use_referral_credentials = <%= @resolved_use_referral_credentials %>
<%- end -%>
<%- if @session_tracking -%>
<%- unless @resolved_session_tracking.nil? -%>
#
# If 'yes', then include draft-wahl-ldap-session tracking
# controls.
......@@ -619,7 +621,7 @@ ldap <%= @name %> {
# as session tracking controls, in applicable LDAP operations.
# Default 'no'.
#
session_tracking = <%= @session_tracking %>
session_tracking = <%= @resolved_session_tracking %>
<%- end -%>
# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
# Note - uncomment when using GSS-API sasl mechanism along with TLS
......@@ -783,12 +785,13 @@ ldap <%= @name %> {
# unused for this length of time will be closed.
# idle_timeout = 60
idle_timeout = <%= @idle_timeout %>
<% if @resolved_connect_timeout %>
# Connection timeout (in seconds). The maximum amount of
# time to wait for a new connection to be established.
# Sets LDAP_OPT_NETWORK_TIMEOUT in libldap.
connect_timeout = <%= @connect_timeout %>
connect_timeout = <%= @resolved_connect_timeout %>
<% end -%>
# NOTE: All configuration settings are enforced. If a
# connection is closed because of 'idle_timeout',
# 'uses', or 'lifetime', then the total number of
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment