Revert "Remove FreeRADIUS v3.1.x options"

This reverts commit 7d005aa0.

README.md

@@ -46,7 +46,7 @@
 
 This module installs and configures [FreeRADIUS](http://freeradius.org/) server
 on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
-but should work on other distributions.
+but should work on other distributions. 
 
 This module requires Puppet 4.0.0 or greater. Puppet 3.x was
 [discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
@@ -444,7 +444,7 @@ be "acct", or they all have to be "auth+acct".
 The type of this pool controls how home servers are chosen.
 
 * `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
-* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
+* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
 * `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
 * `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
 * `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.
@@ -632,6 +632,12 @@ With `rebind` control whether the server follows references returned by LDAP dir
 ##### `rebind`
 With `chase_referrals` control whether the server follows references returned by LDAP directory. Mostly used for AD compatibility. Default: `yes`.
 
+##### `use_referral_credentials`
+On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.
+
+##### `session_tracking`
+If `yes`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.
+
 ##### `uses`
 How many times the connection can be used before being re-established. This is useful for things
 like load balancers, which may exhibit sticky behaviour without it. `0` is unlimited. Default: `0`
@@ -645,6 +651,9 @@ The lifetime (in seconds) of the connection. Default: `0` (forever).
 ##### `idle_timeout`
 Idle timeout (in seconds). A connection which is unused for this length of time will be closed. Default: `60`.
 
+##### `connect_timeout`
+Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.
+
 ##### `idle`
 Sets the idle time before keepalive probes are sent. Default `60`
 
@@ -1406,7 +1415,7 @@ Default: `radius`. Name of the database. Normally you should leave this alone. I
 
 ##### `num_sql_socks`
 
-Default: same as `max_servers`. Number of sql connections to make to the database server.
+Default: same as `max_servers`. Number of sql connections to make to the database server. 
 Setting this to LESS than the number of threads means that some threads may starve, and
 you will see errors like "No connections available and at max connection limit". Setting
 this to MORE than the number of threads means that there are more connections than necessary.
@@ -1523,6 +1532,11 @@ Spare connections to be left idle. Default: 1.
 Idle timeout (in seconds). A connection which is unused for this length of time will
 be closed. Default: 60.
 
+##### `pool_connect_timeout`
+
+Connection timeout (in seconds). The maximum amount of time to wait for a new
+connection to be established. Default: '3.0'.
+
 #### `freeradius::statusclient`
 
 Define RADIUS clients, specifically to connect to the status server for monitoring.

manifests/module/ldap.pp

@@ -38,6 +38,8 @@ define freeradius::module::ldap (
   Optional[Enum['never','searching','finding','always']] $dereference = undef,
   Freeradius::Boolean $chase_referrals                                = 'yes',
   Freeradius::Boolean $rebind                                         = 'yes',
+  Freeradius::Boolean $use_referral_credentials                       = 'no',
+  Optional[Freeradius::Boolean] $session_tracking                     = undef,
   Integer $timeout                                                    = 10,
   Integer $timelimit                                                  = 3,
   Integer $idle                                                       = 60,
@@ -59,6 +61,7 @@ define freeradius::module::ldap (
   Integer $retry_delay                                                = 30,
   Integer $lifetime                                                   = 0,
   Integer $idle_timeout                                               = 60,
+  Float $connect_timeout                                              = 3.0,
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service

manifests/sql.pp

@@ -31,6 +31,7 @@ define freeradius::sql (
   Optional[Integer] $pool_min                    = 1,
   Optional[Integer] $pool_spare                  = 1,
   Optional[Integer] $pool_idle_timeout           = 60,
+  Optional[Float] $pool_connect_timeout          = 3.0,
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service

templates/ldap.erb

@@ -602,6 +602,25 @@ ldap <%= @name %> {
 		chase_referrals = <%= @chase_referrals %>
 		rebind = <%= @rebind %>
 
+		#
+		#  On rebind, use the credentials from the rebind url instead
+		#  of admin credentials used during the initial bind.
+		#  Default 'no'
+		#
+		use_referral_credentials = <%= @use_referral_credentials %>
+
+<%- if @session_tracking -%>
+		#
+		#  If 'yes', then include draft-wahl-ldap-session tracking
+		#  controls.
+		#
+		#  These encode the NAS-IP-Address/NAS-IPv6-Address,
+		#  User-Name, Acct-Session-ID, Acct-Multi-Session-ID
+		#  as session tracking controls, in applicable LDAP operations.
+		#  Default 'no'.
+		#
+		session_tracking = <%= @session_tracking %>
+<%- end -%>
 		# SASL Security Properties (see SASL_SECPROPS in ldap.conf man page).
 		# Note - uncomment when using GSS-API sasl mechanism along with TLS
 		# encryption against Active-Directory LDAP servers (this disables
@@ -765,6 +784,11 @@ ldap <%= @name %> {
 #		idle_timeout = 60
 		idle_timeout = <%= @idle_timeout %>
 
+		#  Connection timeout (in seconds).  The maximum amount of
+		#  time to wait for a new connection to be established.
+		#  Sets LDAP_OPT_NETWORK_TIMEOUT in libldap.
+		connect_timeout = <%= @connect_timeout %>
+
 		#  NOTE: All configuration settings are enforced.  If a
 		#  connection is closed because of 'idle_timeout',
 		#  'uses', or 'lifetime', then the total number of

templates/sql.conf.erb

@@ -334,6 +334,15 @@ sql <%= @name %> {
 #		idle_timeout = 60
 		idle_timeout = <%= @pool_idle_timeout %>
 
+		#  Connection timeout (in seconds).  The maximum amount of
+		#  time to wait for a new connection to be established.
+		#  Not supported by:
+		#    rlm_sql_firebird - Likely possible but no documentation.
+		#    rlm_sql_oracle - Not possible.
+		#    rlm_sql_postgresql - Should be set via the radius_db string instead.
+		#
+		connect_timeout = <%= @pool_connect_timeout %>
+
 		#  NOTE: All configuration settings are enforced.  If a
 		#  connection is closed because of "idle_timeout",
 		#  "uses", or "lifetime", then the total number of