Unverified Commit 28c34bcb authored by Nathan Ward's avatar Nathan Ward Committed by GitHub
Browse files

Merge pull request #142 from SearchLightNZ/freeradius_3_0_21_config_updates

Make FreeRADIUS 3.0.21 the target version for config
parents c2d1984e c3f547b0
......@@ -46,7 +46,7 @@
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
but should work on other distributions.
but should work on other distributions.
This module requires Puppet 4.0.0 or greater. Puppet 3.x was
[discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
......@@ -444,7 +444,7 @@ be "acct", or they all have to be "auth+acct".
The type of this pool controls how home servers are chosen.
* `fail-over` the request is sent to the first live home server in the list. i.e. If the first home server is marked "dead", the second one is chosen, etc.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.
......@@ -634,9 +634,11 @@ With `chase_referrals` control whether the server follows references returned by
##### `use_referral_credentials`
On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `session_tracking`
If `yes`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `uses`
How many times the connection can be used before being re-established. This is useful for things
......@@ -653,6 +655,7 @@ Idle timeout (in seconds). A connection which is unused for this length of time
##### `connect_timeout`
Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.
This parameter should only be set when using FreeRADIUS 3.1.x.
##### `idle`
Sets the idle time before keepalive probes are sent. Default `60`
......@@ -1415,7 +1418,7 @@ Default: `radius`. Name of the database. Normally you should leave this alone. I
##### `num_sql_socks`
Default: same as `max_servers`. Number of sql connections to make to the database server.
Default: same as `max_servers`. Number of sql connections to make to the database server.
Setting this to LESS than the number of threads means that some threads may starve, and
you will see errors like "No connections available and at max connection limit". Setting
this to MORE than the number of threads means that there are more connections than necessary.
......@@ -1536,6 +1539,7 @@ be closed. Default: 60.
Connection timeout (in seconds). The maximum amount of time to wait for a new
connection to be established. Default: '3.0'.
This parameter should only be set when using FreeRADIUS 3.1.x.
#### `freeradius::statusclient`
......
......@@ -28,6 +28,16 @@ class freeradius (
notify { 'This module is only compatible with FreeRADIUS 3.': }
}
# Guess if we are running FreeRADIUS 3.1.x
if (
($package_ensure =~ /^3\.1\./) or
($facts['freeradius_version'] and $facts['freeradius_version'] =~ /^3\.1\./)
) {
$fr_3_1 = true
} else {
$fr_3_1 = false
}
validate_re($log_destination, '^(files|syslog|stdout|stderr)$',
"log_destination value (${log_destination}) is not a valid value")
......
......@@ -38,7 +38,7 @@ define freeradius::module::ldap (
Optional[Enum['never','searching','finding','always']] $dereference = undef,
Freeradius::Boolean $chase_referrals = 'yes',
Freeradius::Boolean $rebind = 'yes',
Freeradius::Boolean $use_referral_credentials = 'no',
Optional[Freeradius::Boolean] $use_referral_credentials = undef,
Optional[Freeradius::Boolean] $session_tracking = undef,
Integer $timeout = 10,
Integer $timelimit = 3,
......@@ -61,7 +61,7 @@ define freeradius::module::ldap (
Integer $retry_delay = 30,
Integer $lifetime = 0,
Integer $idle_timeout = 60,
Float $connect_timeout = 3.0,
Optional[Float] $connect_timeout = undef,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......@@ -79,6 +79,79 @@ define freeradius::module::ldap (
default => $server,
}
# Warn if the user tries to set a FreeRADIUS 3.1.x specific parameter, and
# we detect that they are not on (or not installing) a FreeRADIUS 3.1.x
# then show them some errors
# Additionally, if we are on FreeRADIUS 3.1.x then allow defaults for some
# parameters, otherwise leave them set as specified when this define
# is called.
if $::freeradius::fr_3_1 {
if $connect_timeout != undef {
warning(@("WARN"/L)
The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`. \
In the future, attempting to set it on this version may fail.
|-WARN
)
}
if $session_tracking != undef {
warning(@("WARN"/L)
The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`. \
In the future, attempting to set it on this version may fail.
|-WARN
)
}
if $use_referral_credentials != undef {
warning(@("WARN"/L)
The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`. In the future, attempting to set \
it on this version may fail.
|-WARN
)
}
$resolved_connect_timeout = $connect_timeout ? {
undef => 3.0,
default => $connect_timeout,
}
$resolved_session_tracking = $session_tracking
$resolved_use_referral_credentials = $use_referral_credentials ? {
undef => 'no',
default => $use_referral_credentials,
}
} else {
if $connect_timeout != undef {
fail(@("FAIL"/L)
The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`.
|-FAIL
)
}
if $session_tracking != undef {
fail(@("FAIL"/L)
The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
experimental branch. You are running `${facts['freeradius_version']}`.
|-FAIL
)
}
if $use_referral_credentials != undef {
fail(@("FAIL"/L)
The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`.
|-FAIL
)
}
}
# Generate a module config, based on ldap.conf
file { "${fr_basepath}/mods-available/${name}":
ensure => $ensure,
......
......@@ -31,7 +31,7 @@ define freeradius::sql (
Optional[Integer] $pool_min = 1,
Optional[Integer] $pool_spare = 1,
Optional[Integer] $pool_idle_timeout = 60,
Optional[Float] $pool_connect_timeout = 3.0,
Optional[Float] $pool_connect_timeout = undef,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......@@ -52,6 +52,40 @@ define freeradius::sql (
fail('$num_sql_socks must be an integer')
}
# Warn if the user tries to set a FreeRADIUS 3.1.x specific parameter, and
# we detect that they are not on (or not installing) a FreeRADIUS 3.1.x
# then show them some errors
# Additionally, if we are on FreeRADIUS 3.1.x then allow defaults for some
# parameters, otherwise leave them set as specified when this define
# is called.
if $::freeradius::fr_3_1 {
if $pool_connect_timeout != undef {
warning(@("WARN"/L)
The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`. In the future, attempting to set \
it on this version may fail.
|-WARN
)
}
$resolved_pool_connect_timeout = $pool_connect_timeout ? {
undef => 3.0,
default => $pool_connect_timeout,
}
} else {
if $pool_connect_timeout != undef {
fail(@("FAIL"/L)
The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x, \
i.e. the experimental branch. You are running \
`${facts['freeradius_version']}`.
|-FAIL
)
}
}
# Determine default location of query file
$queryfile = "${fr_basepath}/sql/queries.conf"
......
......@@ -14,7 +14,8 @@ describe 'freeradius::krb5' do
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^krb5 test \{\n\s+keytab = test_keytab\n\s+service_principal = test_principal\n})
.with_content(%r{^\s+keytab = test_keytab$})
.with_content(%r{^\s+service_principal = test_principal$})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
......
require 'spec_helper'
describe 'freeradius::ldap' do
include_context 'redhat_common_dependencies'
let(:title) { 'test' }
let(:params) do
{
identity: 'cn=root,dc=example,dc=com',
password: 'test password',
basedn: 'dc=example,dc=com',
server: ['localhost'],
}
end
let(:facts) do
{
freeradius_version: '3.0.21',
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^ldap test \{\n})
.with_content(%r{^\s+server = 'localhost'\n})
.with_content(%r{^\s+identity = 'cn=root,dc=example,dc=com'\n})
.with_content(%r{^\s+password = 'test password'\n})
.with_content(%r{^\s+base_dn = 'dc=example,dc=com'\n})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
.with_owner('root')
.that_notifies('Service[radiusd]')
.that_requires('Package[freeradius]')
.that_requires('Group[radiusd]')
end
it do
is_expected.to contain_file('/etc/raddb/mods-enabled/test')
.with_ensure('link')
.with_target('../mods-available/test')
end
end
require 'spec_helper'
describe 'freeradius::module::ldap' do
include_context 'redhat_common_dependencies'
let(:title) { 'test' }
let(:params) do
{
identity: 'cn=root,dc=example,dc=com',
password: 'test password',
basedn: 'dc=example,dc=com',
server: ['localhost'],
}
end
let(:facts) do
{
freeradius_version: '3.0.21',
}
end
let(:node_params) do
{
'freeradius::fr_3_1' => false,
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^ldap test \{\n})
.with_content(%r{^\s+server = 'localhost'\n})
.with_content(%r{^\s+identity = 'cn=root,dc=example,dc=com'\n})
.with_content(%r{^\s+password = 'test password'\n})
.with_content(%r{^\s+base_dn = 'dc=example,dc=com'\n})
.without_content(%r{^\s+connect_timeout = .*})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
.with_owner('root')
.that_notifies('Service[radiusd]')
.that_requires('Package[freeradius]')
.that_requires('Group[radiusd]')
end
it do
is_expected.to contain_file('/etc/raddb/mods-enabled/test')
.with_ensure('link')
.with_target('../mods-available/test')
end
context 'when freeradius::fr_3_1 is true' do
let(:facts) do
super().merge(
'freeradius_version' => '3.1.1',
)
end
let(:node_params) do
{
'freeradius::fr_3_1' => true,
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 3.0})
.with_content(%r{^\s+use_referral_credentials = no})
.without_content(%r{^\s+session_tracking = .*})
end
context 'with connect_timeout, session_tracking, and use_referral_credentials specified' do
let(:params) do
super().merge(
connect_timeout: 5.0,
session_tracking: 'yes',
use_referral_credentials: 'yes',
)
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 5.0})
.with_content(%r{^\s+use_referral_credentials = yes})
.with_content(%r{^\s+session_tracking = yes})
end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `connect_timeout` parameter requires FreeRADIUS 3.1.x})
# end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
# end
# it do
# is_expected.to create_notify('warning_test').with_message(%r{^The `session_tracking` parameter requires FreeRADIUS 3.1.x})
# end
end
end
# context 'with connect_timeout specified' do
# let(:params) do
# super().merge(
# connect_timeout: 5.0,
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The \`connect_timeout` parameter requires FreeRADIUS 3\.1\.x})
# end
# end
# context 'with session_tracking specified' do
# let(:params) do
# super().merge(
# session_tracking: 'yes',
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The `session_tracking` parameter requires FreeRADIUS 3.1.x})
# end
# end
# context 'with use_referral_credentials specified' do
# let(:params) do
# super().merge(
# use_referral_credentials: 'yes',
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x})
# end
# end
end
......@@ -5,7 +5,11 @@ describe 'freeradius::sql' do
context "on #{os}" do
include_context 'freeradius_default'
let(:facts) { os_facts }
let(:facts) do
os_facts.merge(
freeradius_version: '3.0.21',
)
end
let(:title) { 'test' }
......@@ -26,6 +30,7 @@ describe 'freeradius::sql' do
.with_content(%r{^\s+login = "radius"$})
.with_content(%r{^\s+password = "test_password"$})
.with_content(%r{^\s+postauth_table = "radpostauth"$})
.without_content(%r{^\s+connect_timeout = .*})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
......@@ -78,6 +83,56 @@ describe 'freeradius::sql' do
.with_source('puppet:///modules/path/to/custom/query/file')
end
end
context 'when freeradius::fr_3_1 is true' do
let(:facts) do
super().merge(
'freeradius_version' => '3.1.1',
)
end
let(:node_params) do
{
'freeradius::fr_3_1' => true,
}
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 3.0})
end
context 'with pool_connect_timeout specified' do
let(:params) do
super().merge(
pool_connect_timeout: 5.0,
)
end
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^\s+connect_timeout = 5.0})
end
# it do
# expect(catalogue).to satisfy('contain connect_timeout warning') do |c|
# c.resource_refs.any? { |r| r =~ %r{^warning_test: The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x.*In the future/} }
# end
# end
end
end
# context 'with pool_connect_timeout specified' do
# let(:params) do
# super().merge(
# pool_connect_timeout: 5.0,
# )
# end
# it do
# is_expected.to compile.and_raise_error(%r{^The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x})
# end
# end
end
end
end
......@@ -40,11 +40,15 @@ end
# Set up a default freeradius instance, so we can test other classes which
# require freeradius to exist first
#
# function warning() allows us to test for warnings being raised, by
# translating it to a notify - though this is not yet working
shared_context 'freeradius_default' do
let(:pre_condition) do
[
redhat_params_class,
'class { freeradius: }',
# 'function warning($message) { notify { "warning_test: ${message}": } }'
]
end
end
......
# -*- text -*-
#
# $Id$
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
#
# This file defines a number of instances of the "attr_filter" module.
......
# File managed by puppet
##############################################################
# -*- text -*-
#
# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $
# Write a detailed log of all accounting records received.
#
detail <%= @name %> {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
filename = <%= @filename %>
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
filename = <%= @filename %>
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
# escape_filenames = no
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = <%= @permissions %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
# permissions = 0600
permissions = <%= @permissions %>