Commit 9693ff67 authored by Jonathan's avatar Jonathan
Browse files

Merge pull request #31 from djjudas21/drop_support_for_fr2

Drop support for FR2
parents 3fccbcc3 fe171478
......@@ -34,9 +34,15 @@
## Overview
This module installs and configures [FreeRADIUS](http://freeradius.org/) server
on Linux. It supports FreeRADIUS 2.x and 3.x. It was designed with CentOS in mind
on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
but should work on other distributions.
| `jgazeley/freeradius` | FreeRADIUS |
| --------------------- | ----------- |
| 2.x | 3.x |
| 1.x | 2.x and 3.x |
| 0.x | 2.x |
## Module Description
This module installs FreeRADIUS from a distro-provided package and installs a
......@@ -224,20 +230,7 @@ freeradius::client { "wlan-controller01":
```
```puppet
# Range example on FreeRADIUS 2
freeradius::client { "wlan-controllers":
ip => '192.168.0.0',
netmask => '24',
secret => 'testing123',
shortname => 'wlc01',
nastype => 'other',
port => '1645-1646',
firewall => true,
}
```
```puppet
# Range example in FreeRADIUS 3
# Range example
freeradius::client { "wlan-controllers":
ip => '192.168.0.0/24',
secret => 'testing123',
......@@ -249,14 +242,11 @@ freeradius::client { "wlan-controllers":
```
##### `ip`
The IP address of the client or range. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
On FreeRADIUS 2, specify the netmask separately. On FreeRADIUS 3, set `ip` in CIDR format. Default: `undef`.
The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
Default: `undef`.
##### `ip6`
The IPv6 address of the client or range in CIDR notation. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
##### `netmask`
The netmask of the client, specified as an integer, e.g. `24`. Only to be set on FreeRADIUS 2. Default: `undef`.
The IPv6 address of the client or range in CIDR format. `ip` and `ip6` are mutually exclusive but one must be supplied. Default: `undef`.
##### `shortname`
A short alias that is used in place of the IP address or fully qualified hostname provided in the first line of the section. Required.
......@@ -436,19 +426,16 @@ Number of seconds to wait for LDAP query to finish. Default: `10`
##### `start`
Connections to create during module instantiation. If the server cannot create specified number of
connections during instantiation it will exit. Set to 0 to allow the server to start without the
directory being available. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].start_servers}`
directory being available. Default: `${thread[pool].start_servers}`
##### `min`
Minimum number of connections to keep open. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].min_spare_servers}`
Minimum number of connections to keep open. Default: `${thread[pool].min_spare_servers}`
##### `max`
Maximum number of connections. Default: `${thread[pool].max_servers}`
##### `spare`
Spare connections to be left idle. This option only works with FR3; setting it on FR2 will have no effect.
Default: `${thread[pool].max_spare_servers}`
Spare connections to be left idle. Default: `${thread[pool].max_spare_servers}`
##### `starttls`
Set this to 'yes' to use TLS encrypted connections to the LDAP database by using the StartTLS extended operation.
......@@ -704,10 +691,10 @@ Define RADIUS clients, specifically to connect to the status server for monitori
Very similar usage to `freeradius::client` but with fewer options.
##### `ip`
Default: `undef`. The IP address of the client. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
Default: `undef`. The IP address of the client in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
##### `ip6`
Default: `undef`. The IPv6 address of the client. `ip` and `ip6` are mutually exclusive but one must be supplied.
Default: `undef`. The IPv6 address of the client in CIDR format. `ip` and `ip6` are mutually exclusive but one must be supplied.
##### `secret`
required. The RADIUS shared secret used for communication between the client/NAS and the RADIUS server.
......@@ -732,9 +719,10 @@ Provide content of template item. Specify only one of `source` or `content`.
## Limitations
This module is targeted at FreeRADIUS 2.x running on CentOS 6 and FreeRADIUS 3.x running
on CentOS 7. It has not been thoroughly tested on other distributions, but might work.
Likely sticking points with other distros are the names of packages, services and file paths.
This module is targeted at FreeRADIUS 3.x running on CentOS 7. It will not work on
FreeRADIUS 2.x. It has not been thoroughly tested on other distributions, but
might work. Likely sticking points with other distros are the names of packages,
services and file paths.
This module was written for use with Puppet 3.6 and 3.7, but should be quite agnostic
to new versions of Puppet.
......@@ -746,9 +734,6 @@ use probably haven't been written. Please send pull requests with new features a
bug fixes. You are also welcome to file issues but I make no guarantees of
development effort if the features aren't useful to my employer.
When contributing code, please ensure your change works on FreeRADIUS 2.x and 3.x - at
least until this module drops support for 2.x.
## Release Notes
### 1.3.0
......
......@@ -11,17 +11,9 @@ define freeradius::attr (
$fr_group = $::freeradius::params::fr_group
$fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
$fr_modulepath = $::freeradius::params::fr_modulepath
$fr_version = $::freeradius::params::fr_version
# Decide on location for attribute filters
$location = $fr_version ? {
2 => $fr_basepath,
3 => "${fr_moduleconfigpath}/attr_filter",
default => $fr_moduleconfigpath,
}
# Install the attribute filter snippet
file { "${location}/${name}":
file { "${fr_moduleconfigpath}/attr_filter/${name}":
ensure => $ensure,
mode => '0640',
owner => 'root',
......@@ -34,7 +26,7 @@ define freeradius::attr (
# Reference all attribute snippets in one file
concat::fragment { "attr-${name}":
target => "${fr_modulepath}/attr_filter",
content => template("freeradius/attr.fr${fr_version}.erb"),
content => template('freeradius/attr.erb'),
order => 20,
}
}
......@@ -6,7 +6,6 @@ define freeradius::client (
$ip6 = undef,
$virtual_server = undef,
$nastype = undef,
$netmask = undef,
$redirect = undef,
$port = undef,
$srcip = undef,
......@@ -17,29 +16,13 @@ define freeradius::client (
$fr_service = $::freeradius::params::fr_service
$fr_basepath = $::freeradius::params::fr_basepath
$fr_group = $::freeradius::params::fr_group
$fr_version = $::freeradius::params::fr_version
# Calculate CIDR format IP now that FreeRADIUS has obsoleted use of separate netmask.
# This workaround means no syntax change is necessary, although we print a warning.
$cidr = $netmask ? {
undef => $ip,
default => "${ip}/${netmask}",
}
$cidr6 = $netmask ? {
undef => $ip6,
default => "${ip6}/${netmask}",
}
if ($netmask and $fr_version == 3) {
warning("netmask field found in client ${shortname} is deprecated, use CIDR notation instead. Please fix your configuration.")
}
file { "${fr_basepath}/clients.d/${shortname}.conf":
ensure => $ensure,
mode => '0640',
owner => 'root',
group => $fr_group,
content => template("freeradius/client.conf.fr${fr_version}.erb"),
content => template('freeradius/client.conf.erb'),
require => [File["${fr_basepath}/clients.d"], Group[$fr_group]],
notify => Service[$fr_service],
}
......@@ -51,7 +34,7 @@ define freeradius::client (
proto => 'udp',
dport => $port,
action => 'accept',
source => $cidr,
source => $ip,
}
} elsif $ip6 {
firewall { "100-${shortname}-${port}-v6":
......@@ -59,7 +42,7 @@ define freeradius::client (
dport => $port,
action => 'accept',
provider => 'ip6tables',
source => $cidr6,
source => $ip6,
}
}
} else {
......
......@@ -12,6 +12,10 @@ class freeradius (
$syslog = false,
) inherits freeradius::params {
if ($freeradius::fr_version != 3) {
fail('This module is only compatible with FreeRADIUS 3')
}
if $control_socket == true {
warning('Use of the control_socket parameter in the freeradius class is deprecated. Please use the freeradius::control_socket class instead.')
}
......@@ -21,7 +25,7 @@ class freeradius (
mode => '0640',
owner => 'root',
group => $freeradius::fr_group,
content => template("freeradius/radiusd.conf.fr${freeradius::fr_version}.erb"),
content => template('freeradius/radiusd.conf.erb'),
require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
notify => Service[$freeradius::fr_service],
}
......@@ -134,9 +138,9 @@ class freeradius (
}
# Install default attribute filters
concat::fragment { "attr-default":
concat::fragment { 'attr-default':
target => "${freeradius::fr_modulepath}/attr_filter",
content => template("freeradius/attr_default.fr${freeradius::fr_version}.erb"),
content => template('freeradius/attr_default.erb'),
order => 10,
}
......
......@@ -25,7 +25,6 @@ define freeradius::ldap (
$fr_service = $::freeradius::params::fr_service
$fr_modulepath = $::freeradius::params::fr_modulepath
$fr_group = $::freeradius::params::fr_group
$fr_version = $::freeradius::params::fr_version
# Validate our inputs
# Hostnames
......@@ -70,7 +69,7 @@ define freeradius::ldap (
mode => '0640',
owner => 'root',
group => $fr_group,
content => template("freeradius/ldap.fr${fr_version}.erb"),
content => template('freeradius/ldap.erb'),
require => [Package[$fr_package], Group[$fr_group]],
notify => Service[$fr_service],
}
......
......@@ -6,7 +6,7 @@ define freeradius::sql (
$login = 'radius',
$radius_db = 'radius',
$num_sql_socks = '${thread[pool].max_servers}',
$query_file = 'sql/${database}/dialup.conf',
$query_file = 'sql/${database}/queries.conf',
$custom_query_file = '',
$lifetime = '0',
$max_queries = '0',
......@@ -35,7 +35,6 @@ define freeradius::sql (
$fr_group = $::freeradius::params::fr_group
$fr_logpath = $::freeradius::params::fr_logpath
$fr_moduleconfigpath = $::freeradius::params::fr_moduleconfigpath
$fr_version = $::freeradius::params::fr_version
# Validate our inputs
# Validate multiple choice options
......@@ -80,11 +79,7 @@ define freeradius::sql (
}
# Determine default location of query file
$queryfile = $fr_version ? {
'2' => "${fr_basepath}/sql/${database}/dialup.conf",
'3' => "${fr_basepath}/sql/queries.conf",
default => "${fr_basepath}/sql/queries.conf",
}
$queryfile = "${fr_basepath}/sql/queries.conf"
# Install custom query file
if ($custom_query_file != '') {
......@@ -101,7 +96,7 @@ define freeradius::sql (
mode => '0640',
owner => 'root',
group => $fr_group,
content => template("freeradius/sql.conf.fr${fr_version}.erb"),
content => template('freeradius/sql.conf.erb'),
require => [Package[$fr_package], Group[$fr_group]],
notify => Service[$fr_service],
}
......
......@@ -5,34 +5,19 @@ define freeradius::statusclient (
$ip6 = undef,
$port = undef,
$shortname = $name,
$netmask = undef,
$ensure = present,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
$fr_basepath = $::freeradius::params::fr_basepath
$fr_group = $::freeradius::params::fr_group
$fr_version = $::freeradius::params::fr_version
$cidr = $netmask ? {
undef => $ip,
default => "${ip}/${netmask}",
}
$cidr6 = $netmask ? {
undef => $ip6,
default => "${ip6}/${netmask}",
}
if ($netmask and $fr_version == 3) {
warning("netmask field found in client ${shortname} is deprecated, use CIDR notation instead. Please fix your configuration.")
}
file { "${fr_basepath}/statusclients.d/${name}.conf":
ensure => $ensure,
mode => '0640',
owner => 'root',
group => $fr_group,
content => template("freeradius/client.conf.fr${fr_version}.erb"),
content => template('freeradius/client.conf.erb'),
require => [File["${fr_basepath}/clients.d"], Package[$fr_package], Group[$fr_group]],
notify => Service[$fr_service],
}
......
attr_filter <%= @prefix %>.<%= @name %> {
key = %{<%= @key %>}
attrsfile = ${confdir}/attr.d/<%= @name %>
}
# -*- text -*-
#
# $Id$
#
# This file defines a number of instances of the "attr_filter" module.
#
# attr_filter - filters the attributes received in replies from
# proxied servers, to make sure we send back to our RADIUS client
# only allowed attributes.
attr_filter attr_filter.post-proxy {
attrsfile = ${confdir}/attrs
}
# attr_filter - filters the attributes in the packets we send to
# the RADIUS home servers.
attr_filter attr_filter.pre-proxy {
attrsfile = ${confdir}/attrs.pre-proxy
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_reject {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_reject
}
# Enforce RFC requirements on the contents of Access-Reject
# packets. See the comments at the top of the file for
# more details.
#
attr_filter attr_filter.access_challenge {
key = %{User-Name}
attrsfile = ${confdir}/attrs.access_challenge
}
# Enforce RFC requirements on the contents of the
# Accounting-Response packets. See the comments at the
# top of the file for more details.
#
attr_filter attr_filter.accounting_response {
key = %{User-Name}
attrsfile = ${confdir}/attrs.accounting_response
}
client <%= @shortname %> {
<% if @ip %>ipaddr = <%= @cidr %><% end %>
<% if @ip6 %>ipv6addr = <%= @cidr6 %><% end %>
<% if @ip %>ipaddr = <%= @ip %><% end %>
<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
shortname = <%= @shortname %>
secret = "<%= @secret %>"
<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>
......
client <%= @shortname %> {
<% if @ip %>ipaddr = <%= @ip %><% end %>
<% if @ip6 %>ipv6addr = <%= @ip6 %><% end %>
<% if @netmask %>netmask = <%= @netmask %><% end %>
shortname = <%= @shortname %>
secret = "<%= @secret %>"
<% if @virtual_server %>virtual_server = <%= @virtual_server %><% end %>
<% if @nastype %>nastype = <%= @nastype %><% end %>
require_message_authenticator = no
}
# -*- text -*-
#
# $Id$
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap <%= @name %> {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
<% @serverarray.each do |srv| -%> server = "<%= srv %>"
<% end -%>
identity = "<%= @identity %>"
password = <%= @password %>
basedn = "<%= @basedn %>"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = <%= @max %>
# How many times the connection can be used before
# being re-established. This is useful for things
# like load balancers, which may exhibit sticky
# behaviour without it. (0) is unlimited.
max_uses = <%= @uses %>
# Port to connect on, defaults to 389. Setting this to
# 636 will enable LDAPS if start_tls (see below) is not
# able to be used.
port = <%= @port %>
# seconds to wait for LDAP query to finish. default: 20
timeout = <%= @timeout %>
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 636) connections
start_tls = <%= @starttls %>
<% if @cafile -%> cacertfile = <%= @cafile %><% end %>
# cacertdir = /path/to/ca/dir/
<% if @certfile -%> certfile = <%= @certfile %><% end %>
<% if @keyfile -%> keyfile = <%= @keyfile %><% end %>
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "<%= @requirecert %>"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
chase_referrals = yes
rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = <%= @idle %>
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = <%= @probes %>
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = <%= @interval %>
}
}
This diff is collapsed.
# -*- text -*-
##
## sql.conf -- SQL modules
##
## $Id$
sql <%= @name %> {
# Set the database to one of: mysql, mssql, oracle, postgresql
database = "<%= @database %>"
# Which FreeRADIUS driver to use.
driver = "rlm_sql_${database}"
# Connection info:
server = "<%= @server %>"
port = "<%= @port %>"
login = "<%= @login %>"
password = "<%= @password %>"
# Database table configuration for everything except Oracle
radius_db = "<%= @radius_db %>"
# If you want both stop and start records logged to the
# same SQL table, leave this as is. If you want them in
# different tables, put the start table in acct_table1
# and stop table in acct_table2