Merge pull request #20 from djjudas21/freeradius3

Support for FreeRADIUS 3

README.md

@@ -16,9 +16,13 @@
        * [`freeradius::client`](#freeradiusclient)
        * [`freeradius::config`](#freeradiusconfig)
        * [`freeradius::dictionary`](#freeradiusdictionary)
+       * [`freeradius::home_server`](#freeradiushomeserver)
+       * [`freeradius::home_server_pool`](#freeradiushomeserverpool)
        * [`freeradius::instantiate`](#freeradiusinstantiate)
+       * [`freeradius::ldap`](#freeradiusldap)
        * [`freeradius::module`](#freeradiusmodule)
        * [`freeradius::policy`](#freeradiuspolicy)
+       * [`freeradius::realm`](#freeradiusrealm)
        * [`freeradius::site`](#freeradiussite)
        * [`freeradius::sql`](#freeradiussql)
        * [`freeradius::statusclient`](#freeradiusstatusclient)
@@ -29,9 +33,8 @@
 ## Overview
 
 This module installs and configures [FreeRADIUS](http://freeradius.org/) server
-on Linux. This module was written for use with FreeRADIUS 2.x and has not been
-tested with FreeRADIUS 3.x. It was designed with CentOS in mind but should
-work on other distributions.
+on Linux. It supports FreeRADIUS 2.x and 3.x. It was designed with CentOS in mind
+but should work on other distributions.
 
 ## Module Description
 
@@ -143,10 +146,22 @@ Whether the control socket should be read-only or read-write. Choose from `ro`,
 
 #### `freeradius::attr`
 
-Install arbitrary attribute filters from a flat file. These are installed in `/etc/raddb/attr.d`
+Install arbitrary attribute filters from a flat file. These are installed in an appropriate module config directory.
+The contents of the `attr_filter` module are automatically updated to reference the filters.
+
+##### `key`
+
+Specify a RADIUS attribute to be the key for this attribute filter. Enter only the string part of the name.
+
+##### `prefix`
+
+Specify the prefix for the attribute filter name before the dot, e.g. `filter.post_proxy`. This is usually set
+to `filter` on FR2 and `attr_filter` on FR3. Default: `filter`.
 
 ```puppet
 freeradius::attr { 'eduroamlocal':
+  key    => 'User-Name',
+  prefix => 'attr_filter',
   source => 'puppet:///modules/site_freeradius/eduroamlocal',
 }
 ```
@@ -258,6 +273,84 @@ freeradius::dictionary { 'mydict':
   source => 'puppet:///modules/site_freeradius/dictionary.mydict',
 }
 ```
+#### `freeradius::home_server`
+
+This section defines a "Home Server" which is another RADIUS server that gets sent proxied requests.
+
+##### `secret`
+
+The shared secret use to "encrypt" and "sign" packets between FreeRADIUS and the home server.
+
+##### `type`
+
+Home servers can be sent Access-Request packets or Accounting-Request packets. Allowed values are:
+* `auth` Handles Access-Request packets
+* `acct`  Handles Accounting-Request packets
+* `auth+acct` Handles Access-Request packets at "port" and Accounting-Request packets at "port + 1"
+* `coa` Handles CoA-Request and Disconnect-Request packets.
+
+Default: `auth`
+
+##### `ipaddr`
+
+IPv4 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`
+
+##### `ipv6addr`
+
+IPv6 address or hostname of the home server. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`
+
+##### `virtual_server`
+
+If you specify a virtual_server here, then requests will be proxied internally to that virtual server.
+These requests CANNOT be proxied again, however. The intent is to have the local server handle packets
+when all home servers are dead. Specify one of `ipaddr`, `ipv6addr` or `virtual_server`
+
+##### `port`
+
+The port to which packets are sent. Usually 1812 for type "auth", and  1813 for type "acct".
+Older servers may use 1645 and 1646. Use 3799 for type "coa" Default: `1812`
+
+##### `proto`
+The transport protocol. If unspecified, defaults to "udp", which is the traditional
+RADIUS transport. It may also be "tcp", in which case TCP will be used to talk to
+this home server. Default: `udp`
+
+
+#### `freeradius::home_server_pool`
+
+##### `home_server`
+
+An array of one or more home servers. The names of the home servers are NOT the hostnames, but the names
+of the sections. (e.g. `home_server foo {...}` has name "foo".
+
+Note that ALL home servers listed here have to be of the same type. i.e. they all have to be "auth", or they all have to
+be "acct", or they all have to be "auth+acct".
+
+
+##### `type`
+
+The type of this pool controls how home servers are chosen.
+
+* `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
+* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
+* `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
+* `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
+* `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.
+
+The default type is `fail-over`.
+
+##### `virtual_server`
+
+A `virtual_server` may be specified here.  If so, the "pre-proxy" and "post-proxy" sections are called when
+the request is proxied, and when a response is received.
+
+##### `fallback`
+
+If ALL home servers are dead, then this "fallback" home server is used. If set, it takes precedence over any realm-based
+fallback, such as the DEFAULT realm.
+
+For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!
+
 
 #### `freeradius::instantiate`
 
@@ -267,6 +360,93 @@ Instantiate a module that is not automatically instantiated.
 freeradius::instantiate { 'mymodule': }
 ```
 
+#### `freeradius::ldap`
+
+Configure LDAP support for FreeRADIUS
+
+##### `identity`
+LDAP account for searching the directory. Required.
+
+##### `password`
+Password for the `identity` account. Required.
+
+##### `basedn`
+Unless overridden in another section, the dn from which all searches will start from. Required.
+
+##### `server`
+Hostname of IP address of the LDAP server. Note that this needs to match the name(s) in the LDAP server
+certificate, if you're using ldaps. Default: `localhost`
+
+##### `port`
+Port to connect to the LDAP server on. Default: `389`
+
+##### `uses`
+How many times the connection can be used before being re-established. This is useful for things
+like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0`
+
+##### `idle`
+Sets the idle time before keepalive probes are sent. Default `60`
+
+This option may not be supported by your LDAP library. If this configuration entry appears in the
+output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.
+
+##### `probes`
+Sets the maximum number of keepalive probes TCP should send before dropping the connection. Default: `3`
+
+This option may not be supported by your LDAP library. If this configuration entry appears in the
+output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.
+
+##### `interval`
+Setss the interval in seconds between individual keepalive probes. Default: `3`
+
+This option may not be supported by your LDAP library. If this configuration entry appears in the
+output of `radiusd -X` then it is supported. Otherwise, it is unsupported and changing it will do nothing.
+
+##### `timeout`
+Number of seconds to wait for LDAP query to finish. Default: `10`
+
+##### `start`
+Connections to create during module instantiation. If the server cannot create specified number of
+connections during instantiation it will exit. Set to 0 to allow the server to start without the
+directory being available. This option only works with FR3; setting it on FR2 will have no effect.
+Default: `${thread[pool].start_servers}`
+
+##### `min`
+Minimum number of connections to keep open. This option only works with FR3; setting it on FR2 will have no effect.
+Default: `${thread[pool].min_spare_servers}`
+
+##### `max`
+Maximum number of connections. Default: `${thread[pool].max_servers}`
+
+##### `spare`
+Spare connections to be left idle. This option only works with FR3; setting it on FR2 will have no effect.
+Default: `${thread[pool].max_spare_servers}`
+
+##### `starttls`
+Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation.
+The StartTLS operation is supposed to be used with normal ldap connections instead of using ldaps (port 636) connections
+
+Default: `no`
+
+##### `cafile`
+Path to CA cert file for TLS
+
+##### `certfile`
+Path to cert file for TLS
+
+##### `keyfile`
+Path to key file for TLS
+
+##### `requirecert`
+Certificate Verification requirements. Choose from:
+'never' (do not even bother trying)
+'allow' (try, but don't fail if the certificate cannot be verified)
+'demand' (fail if the certificate does not verify)
+'hard'  (similar to 'demand' but fails if TLS cannot negotiate)
+
+Default: `allow`
+
+
 #### `freeradius::module`
 
 Install a module from a flat file.
@@ -293,6 +473,37 @@ freeradius::policy { 'my-policies':
 }
 ```
 
+#### `freeradius::realm`
+
+Define a realm in `proxy.conf`. Realms point to pools of home servers.
+
+##### `virtual_server`
+
+Set this to "proxy" requests internally to a virtual server. The pre-proxy and post-proxy sections are run just as with any
+other kind of home server.  The virtual server then receives the request, and replies, just as with any other packet.
+Once proxied internally like this, the request CANNOT be proxied internally or externally.
+
+##### `auth_pool`
+
+For authentication, the `auth_pool` configuration item should point to a `home_server_pool` that was previously
+defined.  All of the home servers in the `auth_pool` must be of type `auth`.
+
+##### `acct_pool`
+
+For accounting, the `acct_pool` configuration item should point to a `home_server_pool` that was previously
+defined.  All of the home servers in the `acct_pool` must be of type `acct`.
+
+##### `pool`
+
+If you have a `home_server_pool` where all of the home servers are of type `auth+acct`, you can just use the `pool`
+configuration item, instead of specifying both `auth_pool` and `acct_pool`.
+
+##### `nostrip`
+
+Normally, when an incoming User-Name is matched against the realm, the realm name is "stripped" off, and the "stripped"
+user name is used to perform matches.If you do not want this to happen, set this to `true`. Default: `false`.
+
+
 #### `freeradius::script`
 
 Install a helper script, e.g. which might be called upon by a virtual server. These are
@@ -482,13 +693,9 @@ required. A short alias that is used in place of the IP address or fully qualifi
 
 ## Limitations
 
-This module is targeted at FreeRADIUS 2.x running on CentOS 6. It has not been tested
-on other distributions, but might work. Likely sticking points with other distros are
-the names of packages, services and file paths.
-
-This module has not been tested on FreeRADIUS 3.x and almost certainly won't work
-without modification. FreeRADIUS 3.x support in this module will come onto the roadmap
-at the same time that my employer decides to start looking FreeRADIUS 3.x.
+This module is targeted at FreeRADIUS 2.x running on CentOS 6 and FreeRADIUS 3.x running
+on CentOS 7. It has not been thoroughly tested on other distributions, but might work.
+Likely sticking points with other distros are the names of packages, services and file paths.
 
 This module was written for use with Puppet 3.6 and 3.7, but should be quite agnostic
 to new versions of Puppet.
@@ -500,6 +707,9 @@ use probably haven't been written. Please send pull requests with new features a
 bug fixes. You are also welcome to file issues but I make no guarantees of
 development effort if the features aren't useful to my employer.
 
+When contributing code, please ensure your change works on FreeRADIUS 2.x and 3.x - at
+least until this module drops support for 2.x.
+
 ## Release Notes
 
 ### 0.4.5

files/modules/always

-######################################################################
-######################################################################
-##   THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS!       ##
-######################################################################
-######################################################################
-
-
-# -*- text -*-
-#
-#  $Id$
-
-#
-# The "always" module is here for debugging purposes. Each
-# instance simply returns the same result, always, without
-# doing anything.
-always fail {
-        rcode = fail
-}
-always reject {
-        rcode = reject
-}
-always noop {
-        rcode = noop
-}
-always handled {
-        rcode = handled
-}
-always updated {
-        rcode = updated
-}
-always notfound {
-        rcode = notfound
-}
-always ok {
-        rcode = ok
-        simulcount = 0
-        mpp = no
-}
-always accept {
-        rcode = accept
-}
-

files/modules/detail

-######################################################################
-######################################################################
-##   THIS FILE IS MANAGED BY PUPPET. DO NOT MAKE LOCAL EDITS!       ##
-######################################################################
-######################################################################
-
-# This is the stock FreeRADIUS 'detail' log. We leave it unaltered
-# and instead make further instantiations that inherit from it and 
-# change parameters if necessary
-
-# -*- text -*-
-#
-#  $Id$
-
-# Write a detailed log of all accounting records received.
-#
-detail {
-	#  Note that we do NOT use NAS-IP-Address here, as
-	#  that attribute MAY BE from the originating NAS, and
-	#  NOT from the proxy which actually sent us the
-	#  request.
-	#
-	#  The following line creates a new detail file for
-	#  every radius client (by IP address or hostname).
-	#  In addition, a new detail file is created every
-	#  day, so that the detail file doesn't have to go
-	#  through a 'log rotation'
-	#
-	#  If your detail files are large, you may also want
-	#  to add a ':%H' (see doc/variables.txt) to the end
-	#  of it, to create a new detail file every hour, e.g.:
-	#
-	#   ..../detail-%Y%m%d:%H
-	#
-	#  This will create a new detail file for every hour.
-	#
-	#  If you are reading detail files via the "listen" section
-	#  (e.g. as in raddb/sites-available/robust-proxy-accounting),
-	#  you MUST use a unique directory for each combination of a
-	#  detail file writer, and reader.  That is, there can only
-	#  be ONE "listen" section reading detail files from a
-	#  particular directory.
-	#
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/detail.log
-
-	#
-	#  The Unix-style permissions on the 'detail' file.
-	#
-	#  The detail file often contains secret or private
-	#  information about users.  So by keeping the file
-	#  permissions restrictive, we can prevent unwanted
-	#  people from seeing that information.
-	detailperm = 0640
-
-	#
-	#  Every entry in the detail file has a header which
-	#  is a timestamp.  By default, we use the ctime
-	#  format (see "man ctime" for details).
-	#
-	#  The header can be customized by editing this
-	#  string.  See "doc/variables.txt" for a description
-	#  of what can be put here.
-	#
-	header = "%t"
-
-	#
-	#  Uncomment this line if the detail file reader will be
-	#  reading this detail file.
-	#
-#	locking = yes
-
-	#
-	#  Log the Packet src/dst IP/port.  This is disabled by
-	#  default, as that information isn't used by many people.
-	#
-#	log_packet_header = yes
-
-	#
-	# Certain attributes such as User-Password may be
-	# "sensitive", so they should not be printed in the
-	# detail file.  This section lists the attributes
-	# that should be suppressed.
-	#
-	# The attributes should be listed one to a line.
-	#
-	suppress {
-		User-Password
-	}
-}

files/modules/detail.log

-# -*- text -*-
-#
-#  $Id$
-
-#
-#  More examples of doing detail logs.
-
-#
-#  Many people want to log authentication requests.
-#  Rather than modifying the server core to print out more
-#  messages, we can use a different instance of the 'detail'
-#  module, to log the authentication requests to a file.
-#
-#  You will also need to un-comment the 'auth_log' line
-#  in the 'authorize' section, below.
-#
-detail auth_log-for-bsql {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-bsql.log
-
-	#
-	#  This MUST be 0600, otherwise anyone can read
-	#  the users passwords!
-	detailperm = 0600
-	locking = yes
-
-	# You may also strip out passwords completely
-	suppress {
-		User-Password
-		EAP-Message
-		Framed-MTU
-		State
-		Message-Authenticator
-		Packet-Type
-		Proxy-State
-		Tunnel-Type
-		Tunnel-Medium-Type
-		Tunnel-Private-Group-Id
-	}
-}
-
-detail auth_log {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
-
-	#  This MUST be 0600, otherwise anyone can read
-	#  the users passwords!
-	detailperm = 0600
-
-	# You may also strip out passwords completely
-	suppress {
-		User-Password
-	}
-
-	#  Log the Packet src/dst IP/port.  This is disabled by
-	#  default, as that information isn't used by many people.
-	log_packet_header = yes
-}
-
-# This is the same as the block above, except it allows passwords
-# # to be written to the log file
-detail auth_log_password {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/auth-detail.log
-	detailperm = 0600
-}
-
-
-#  This module logs authentication reply packets sent
-#  to a NAS.  Both Access-Accept and Access-Reject packets
-#  are logged.
-#
-#  You will also need to un-comment the 'reply_log' line
-#  in the 'post-auth' section, below.
-#
-detail reply_log {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-UNKNOWN}/reply-detail.log
-
-	detailperm = 0600
-}
-
-#
-#  This module logs packets proxied to a home server.
-#
-#  You will also need to un-comment the 'pre_proxy_log' line
-#  in the 'pre-proxy' section, below.
-#
-detail pre_proxy_log {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/pre-proxy-detail.log
-
-	#
-	#  This MUST be 0600, otherwise anyone can read
-	#  the users passwords!
-	detailperm = 0600
-
-	# You may also strip out passwords completely
-	#suppress {
-		# User-Password
-	#}
-}
-
-#
-#  This module logs response packets from a home server.
-#
-#  You will also need to un-comment the 'post_proxy_log' line
-#  in the 'post-proxy' section, below.
-#
-detail post_proxy_log {
-	detailfile = ${radacctdir}/%{%{Virtual-Server}:-DEFAULT}/post-proxy-detail.log
-	detailperm = 0600
-}

lib/facter/freeradius_maj_version.rb

+# Grab the FreeRADIUS version from the output of radiusd -v
+if %x{which radiusd 2>/dev/null | wc -l}.chomp.to_i > 0
+  Facter.add(:freeradius_maj_version) do
+    setcode do
+      Facter::Core::Execution.exec('radiusd -v').split(/\n/)[0].match(/FreeRADIUS Version (\d)\.\d\.\d/)[1]
+    end
+  end
+end
+

manifests/attr.pp

@@ -2,19 +2,38 @@
 define freeradius::attr (
   $source,
   $ensure = present,
+  $key = 'User-Name',
+  $prefix = 'filter',
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service
   $fr_basepath         = $::freeradius::params::fr_basepath
   $fr_group            = $::freeradius::params::fr_group
+  $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
+  $fr_modulepath       = $::freeradius::params::fr_modulepath
 
-  file { "${fr_basepath}/attr.d/${name}":
+  # Decide on location for attribute filters
+  $location = $::freeradius_maj_version ? {
+    2       => $fr_basepath,
+    3       => "$fr_moduleconfigpath/attr_filter",
+    default => $fr_moduleconfigpath,
+  }
+
+  # Install the attribute filter snippet
+  file { "${location}/${name}":
     ensure  => $ensure,
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
     source  => $source,
-    require => [File["${fr_basepath}/attr.d"], Package[$fr_package], Group[$fr_group]],
+    require => [Package[$fr_package], Group[$fr_group]],
     notify  => Service[$fr_service],
   }
+
+  # Reference all attribute snippets in one file
+  concat::fragment { "attr-${name}":
+    target  => "${fr_modulepath}/attr_filter",
+    content => template("freeradius/attr.fr${::freeradius_maj_version}.erb"),
+    order   => 20,
+  }
 }

manifests/client.pp

@@ -23,7 +23,7 @@ define freeradius::client (
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
-    content => template('freeradius/client.conf.erb'),
+    content => template("freeradius/client.conf.fr${::freeradius_maj_version}.erb"),
     require => [File["${fr_basepath}/clients.d"], Group[$fr_group]],
     notify  => Service[$fr_service],
   }

manifests/config.pp

@@ -6,17 +6,17 @@ define freeradius::config (
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service
-  $fr_basepath = $::freeradius::params::fr_basepath
   $fr_group            = $::freeradius::params::fr_group
+  $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
 
-  file { "${fr_basepath}/conf.d/${name}":
+  file { "${fr_moduleconfigpath}/${name}":
     ensure  => $ensure,
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
     source  => $source,
     content => $content,
-    require => [File["${fr_basepath}/conf.d"], Package[$fr_package], Group[$fr_group]],
+    require => [Package[$fr_package], Group[$fr_group]],
     notify  => Service[$fr_service],
   }
 }

manifests/home_server.pp

+# Configure a home_server for proxy config
+define freeradius::home_server (
+  $secret,
+  $type = 'auth',
+  $ipaddr = '',
+  $ipv6addr = '',
+  $virtual_server = '',
+  $port = 1812,
+  $proto = 'udp',
+) {
+  $fr_basepath = $::freeradius::params::fr_basepath
+
+  # Validate multiple choice options
+  unless $type in ['auth', 'acct', 'auth+acct', 'coa'] {
+    fail('$type must be one of auth, acct, auth+acct, coa')
+  }
+  unless $proto in ['udp', 'tcp'] {
+    fail('$type must be one of udp, tcp')
+  }
+
+  # Validate integers
+  unless is_integer($port) {
+    fail('$port must be an integer')
+  }
+
+  # Configure config fragment for this home server
+  concat::fragment { "homeserver-${name}":
+    target  => "${fr_basepath}/proxy.conf",
+    content => template('freeradius/home_server.erb'),
+    order   => 10,
+  }
+}
+

manifests/home_server_pool.pp

+# Configure home server pools
+define freeradius::home_server_pool (
+  $home_server,
+  $type = 'fail-over',
+  $virtual_server = '',
+  $fallback = '',
+) {
+  $fr_basepath = $::freeradius::params::fr_basepath
+
+  # Validate multi-value options
+  unless $type in ['fail-over', 'load-balance', 'client-balance', 'client-port-balance', 'keyed-balance'] {
+    fail('$type must be one of fail-over, load-balance, client-balance, client-port-balance, keyed-balance')
+  }
+
+  # Configure config fragment for this home server
+  concat::fragment { "homeserverpool-${name}":
+    target  => "${fr_basepath}/proxy.conf",
+    content => template('freeradius/home_server_pool.erb'),
+    order   => 20,
+  }
+}
+

manifests/init.pp

@@ -21,7 +21,7 @@ class freeradius (
     mode    => '0640',
     owner   => 'root',
     group   => $freeradius::fr_group,
-    content => template('freeradius/radiusd.conf.erb'),
+    content => template("freeradius/radiusd.conf.fr${::freeradius_maj_version}.erb"),
     require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
     notify  => Service[$freeradius::fr_service],
   }
@@ -64,6 +64,12 @@ class freeradius (
     notify  => Service[$freeradius::fr_service],
   }
 
+  # Delete some modules which come bundled with the server that we
+  # know break functionality out of the box with this config
+  freeradius::module { 'eap':
+    ensure => absent,
+  }
+
   # Set up concat policy file, as there is only one global policy
   # We also add standard header and footer
   concat { "${freeradius::fr_basepath}/policy.conf":
@@ -71,6 +77,7 @@ class freeradius (
     group   => $freeradius::fr_group,
     mode    => '0640',
     require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
+    notify  => Service[$freeradius::fr_service],
   }
   concat::fragment { 'policy_header':
     target  => "${freeradius::fr_basepath}/policy.conf",
@@ -83,6 +90,31 @@ class freeradius (
     order   => '99',
   }
 
+  # Set up concat proxy file
+  concat { "${freeradius::fr_basepath}/proxy.conf":
+    owner   => 'root',
+    group   => $freeradius::fr_group,
+    mode    => '0640',
+    require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
+    notify  => Service[$freeradius::fr_service],
+  }
+
+  # Set up attribute filter file
+  concat { "${freeradius::fr_modulepath}/attr_filter":
+    owner   => 'root',
+    group   => $freeradius::fr_group,
+    mode    => '0640',
+    require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
+    notify  => Service[$freeradius::fr_service],
+  }
+
+  # Install default attribute filters
+  concat::fragment { "attr-default":
+    target  => "${fr_modulepath}/attr_filter",
+    content => template("freeradius/attr_default.fr${::freeradius_maj_version}.erb"),
+    order   => 10,
+  }
+
   # Install a slightly tweaked stock dictionary that includes
   # our custom dictionaries
   concat { "${freeradius::fr_basepath}/dictionary":
@@ -166,15 +198,11 @@ class freeradius (
   }
 
   # Install a few modules required on all FR installations
-  freeradius::module  { 'always':
-    source  => 'puppet:///modules/freeradius/modules/always',
-  }
-  freeradius::module { 'detail':
-    source  => 'puppet:///modules/freeradius/modules/detail',
-  }
-  freeradius::module { 'detail.log':
-    source  => 'puppet:///modules/freeradius/modules/detail.log',
-  }
+  # No content is specified, so we accept the package manager default
+  # Defining them here prevents them from being purged
+  freeradius::module  { 'always': }
+  freeradius::module { 'detail': }
+  freeradius::module { 'detail.log': }
 
   # Syslog rules
   if $syslog == true {
@@ -268,7 +296,6 @@ class freeradius (
   file { [
     "${freeradius::fr_basepath}/sites-available/default",
     "${freeradius::fr_basepath}/sites-available/inner-tunnel",
-    "${freeradius::fr_basepath}/proxy.conf",
     "${freeradius::fr_basepath}/clients.conf",
     "${freeradius::fr_basepath}/sql.conf",
   ]:

manifests/ldap.pp

+# Configure LDAP support for FreeRADIUS
+define freeradius::ldap (
+  $identity,
+  $password,
+  $basedn,
+  $server      = 'localhost',
+  $port        = 389,
+  $uses        = 0,
+  $idle        = 60,
+  $probes      = 3,
+  $interval    = 3,
+  $timeout     = 10,
+  $start       = '${thread[pool].start_servers}',
+  $min         = '${thread[pool].min_spare_servers}',
+  $max         = '${thread[pool].max_servers}',
+  $spare       = '${thread[pool].max_spare_servers}',
+  $ensure      = 'present',
+  $starttls    = 'no',
+  $cafile      = '',
+  $certfile    = '',
+  $keyfile     = '',
+  $requirecert = 'allow',
+) {
+  $fr_package          = $::freeradius::params::fr_package
+  $fr_service          = $::freeradius::params::fr_service
+  $fr_modulepath       = $::freeradius::params::fr_modulepath
+  $fr_group            = $::freeradius::params::fr_group
+
+  # Validate our inputs
+  # Hostnames
+  unless (is_domain_name($server) or is_ip_address($server)) {
+    fail('$server must be a valid hostname or IP address')
+  }
+
+  # Fake booleans (FR uses yes/no instead of true/false)
+  unless $starttls in ['yes', 'no'] {
+    fail('$starttls must be yes or no')
+  }
+
+  # Validate multiple choice options
+  unless $requirecert in ['never', 'allow', 'demand', 'hard'] {
+    fail('$requirecert must be one of never, allow, demand, hard')
+  }
+
+  # Validate integers
+  unless is_integer($port) {
+    fail('$port must be an integer')
+  }
+  unless is_integer($uses) {
+    fail('$uses must be an integer')
+  }
+  unless is_integer($idle) {
+    fail('$idle must be an integer')
+  }
+  unless is_integer($probes) {
+    fail('$probes must be an integer')
+  }
+  unless is_integer($interval) {
+    fail('$interval must be an integer')
+  }
+  unless is_integer($timeout) {
+    fail('$timeout must be an integer')
+  }
+
+  # Generate a module config, based on ldap.conf
+  file { "${fr_modulepath}/${name}":
+    ensure  => $ensure,
+    mode    => '0640',
+    owner   => 'root',
+    group   => $fr_group,
+    content => template("freeradius/ldap.fr${::freeradius_maj_version}.erb"),
+    require => [Package[$fr_package], Group[$fr_group]],
+    notify  => Service[$fr_service],
+  }
+}

manifests/module.pp

@@ -6,10 +6,10 @@ define freeradius::module (
 ) {
   $fr_package  = $::freeradius::params::fr_package
   $fr_service  = $::freeradius::params::fr_service
-  $fr_basepath = $::freeradius::params::fr_basepath
+  $fr_modulepath = $::freeradius::params::fr_modulepath
   $fr_group    = $::freeradius::params::fr_group
 
-  file { "${fr_basepath}/modules/${name}":
+  file { "${fr_modulepath}/${name}":
     ensure  => $ensure,
     mode    => '0640',
     owner   => 'root',

manifests/params.pp

@@ -36,6 +36,26 @@ class freeradius::params {
     default  => '/etc/raddb',
   }
 
+  # Default module dir
+  $fr_moduledir = $::freeradius_version ? {
+    /^2\./    => 'modules',
+    /^3\./    => 'mods-enabled',
+    default   => 'modules',
+  }
+
+  # Default module path
+  $fr_modulepath = "${fr_basepath}/${fr_moduledir}"
+
+  # Default module config dir
+  $fr_modconfigdir = $::freeradius_version ? {
+    /^2\./    => 'conf.d',
+    /^3\./    => 'mods-config',
+    default   => 'conf.d',
+  }
+
+  # Default module config path
+  $fr_moduleconfigpath = "${fr_basepath}/${fr_modconfigdir}"
+
   # Path for FreeRADIUS logs
   $fr_logpath = $::osfamily ? {
     'RedHat' => '/var/log/radius',

manifests/realm.pp

+# Set up proxy realms
+define freeradius::realm (
+  $virtual_server = '',
+  $auth_pool = '',
+  $acct_pool = '',
+  $pool = '',
+  $nostrip = false,
+) {
+  $fr_basepath = $::freeradius::params::fr_basepath
+
+  # Validate bools
+  unless is_bool($nostrip) {
+    fail('nostrip must be true or false')
+  }
+
+  # Configure config fragment for this realm
+  concat::fragment { "realm-${name}":
+    target  => "${fr_basepath}/proxy.conf",
+    content => template('freeradius/realm.erb'),
+    order   => 30,
+  }
+}

manifests/sql.pp

@@ -31,7 +31,10 @@ define freeradius::sql (
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service
   $fr_basepath         = $::freeradius::params::fr_basepath
+  $fr_modulepath       = $::freeradius::params::fr_modulepath
   $fr_group            = $::freeradius::params::fr_group
+  $fr_logpath          = $::freeradius::params::fr_logpath
+  $fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
 
   # Validate our inputs
   # Validate multiple choice options
@@ -75,34 +78,37 @@ define freeradius::sql (
     fail('$readclients must be yes or no')
   }
 
-  # Generate a module config, based on sql.conf
-  file { "${fr_basepath}/modules/${name}":
-    ensure  => $ensure,
-    mode    => '0640',
-    owner   => 'root',
-    group   => $fr_group,
-    content => template('freeradius/sql.conf.erb'),
-    require => [Package[$fr_package], Group[$fr_group]],
-    notify  => Service[$fr_service],
+  # Determine default location of query file
+  $queryfile = $::freeradius_version ? {
+    /^2\./  => "${fr_basepath}/sql/${database}/dialup.conf",
+    /^3\./  => "${fr_basepath}/sql/queries.conf",
+    default => "${fr_basepath}/sql/queries.conf",
   }
 
   # Install custom query file
-  if ($custom_query_file) {
-    file { "${fr_basepath}/sql/${database}/dialup.conf":
+  if ($custom_query_file != '') {
+    $custom_query_file_path = "${fr_moduleconfigpath}/${name}-queries.conf"
+
+    ::freeradius::config { "${name}-queries.conf":
+      source => $custom_query_file,
+    }
+  }
+
+  # Generate a module config, based on sql.conf
+  file { "${fr_modulepath}/${name}":
     ensure  => $ensure,
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
-      source  => $custom_query_file,
+    content => template("freeradius/sql.conf.fr${::freeradius_maj_version}.erb"),
     require => [Package[$fr_package], Group[$fr_group]],
     notify  => Service[$fr_service],
   }
-  }
 
   # Install rotation for sqltrace if we are using it
   if ($sqltrace == 'yes') {
     logrotate::rule { 'sqltrace':
-      path         => "{$freeradius::fr_logpath}/${sqltracefile}",
+      path         => "${fr_logpath}/${sqltracefile}",
       rotate_every => 'week',
       rotate       => 1,
       create       => true,

manifests/statusclient.pp

@@ -18,7 +18,7 @@ define freeradius::statusclient (
     mode    => '0640',
     owner   => 'root',
     group   => $fr_group,
-    content => template('freeradius/client.conf.erb'),
+    content => template("freeradius/client.conf.fr${::freeradius_maj_version}.erb"),
     require => [File["${fr_basepath}/clients.d"], Package[$fr_package], Group[$fr_group]],
     notify  => Service[$fr_service],
   }

templates/attr.fr2.erb

+attr_filter <%= @prefix %>.<%= @name %> {
+       key = %{<%= @key %>}
+       attrsfile = ${confdir}/attr.d/<%= @name %>
+}
+

templates/attr.fr3.erb

+attr_filter <%= @prefix %>.<%= @name %> {
+	key = "%{<%= @key %>}"
+	filename = ${modconfdir}/${.:name}/<%= @name %>
+}
+

templates/attr_default.fr2.erb

+# -*- text -*-
+#
+#  $Id$
+
+#
+#  This file defines a number of instances of the "attr_filter" module.
+#
+
+# attr_filter - filters the attributes received in replies from
+# proxied servers, to make sure we send back to our RADIUS client
+# only allowed attributes.
+attr_filter attr_filter.post-proxy {
+	attrsfile = ${confdir}/attrs
+}
+
+# attr_filter - filters the attributes in the packets we send to
+# the RADIUS home servers.
+attr_filter attr_filter.pre-proxy {
+	attrsfile = ${confdir}/attrs.pre-proxy
+}
+
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_reject {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.access_reject
+}
+
+# Enforce RFC requirements on the contents of Access-Reject
+# packets.  See the comments at the top of the file for
+# more details.
+#
+attr_filter attr_filter.access_challenge {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.access_challenge
+}
+
+
+#  Enforce RFC requirements on the contents of the
+#  Accounting-Response packets.  See the comments at the
+#  top of the file for more details.
+#
+attr_filter attr_filter.accounting_response {
+	key = %{User-Name}
+	attrsfile = ${confdir}/attrs.accounting_response
+}