Unverified Commit a137f477 authored by Jonathan's avatar Jonathan Committed by GitHub
Browse files

Merge pull request #93 from sts/master

Add puppet class for huntgroups
parents 0a9e0b27 d2b38ef2
......@@ -277,6 +277,18 @@ freeradius::client { "wlan-controllers":
}
```
```puppet
# Huntgroup Example
freeradius::client { "asa01":
ip => '192.168.0.1',
secret => 'testing123',
huntgroups => [
{ name => 'firewall',
conditions => [ 'NAS-IP-Address == 192.168.0.1' ] },
]
}
```
##### `ip`
The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
Default: `undef`.
......@@ -332,6 +344,10 @@ Create a firewall exception for this virtual server. If this is set to `true`, y
##### `attributes`
Array of attributes to assign to this client. Default: empty.
##### `huntgroups`
Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup.
#### `freeradius::config`
Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d`
......@@ -440,6 +456,30 @@ fallback, such as the DEFAULT realm.
For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!
#### `freeradius::huntgroup`
Define a huntgroup given a name and the conditions under which a huntgroup matches a client.
```puppet
freeradius::huntgroup { 'switchaccess':
huntgroup => 'switchaccess',
conditions => [
'NAS-IP-Address == 192.168.0.1'
]
}
##### `huntgroup`
Name of the huntgroup to assign, if conditions are all met. Default to the resource title.
##### `conditons`
Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'.
##### `type`
##### `home_server`
#### `freeradius::instantiate`
Instantiate a module that is not automatically instantiated.
......
#
# huntgroups This file defines the `huntgroups' that you have. A
# huntgroup is defined by specifying the IP address of
# the NAS and possibly a port range. Port can be identified
# as just one port, or a range (from-to), and multiple ports
# or ranges of ports must be separated by a comma. For
# example: 1,2,3-8
#
# Matching is done while RADIUS scans the user file; if it
# includes the selection criterium "Huntgroup-Name == XXX"
# the huntgroup is looked up in this file to see if it
# matches. There can be multiple definitions of the same
# huntgroup; the first one that matches will be used.
#
# This file can also be used to define restricted access
# to certain huntgroups. The second and following lines
# define the access restrictions (based on username and
# UNIX usergroup) for the huntgroup.
#
#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen NAS-IP-Address == 192.0.2.5
#alphen NAS-IP-Address == 192.0.2.6
#alphen NAS-IP-Address == 192.0.2.7
#
# The POP in Delft consists of only one terminal server.
#
#delft NAS-IP-Address == 198.51.100.5
#
# Ports 0-7 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7
# User-Name = rogerl,
# User-Name = henks,
# Group = business,
# Group = staff
......@@ -21,6 +21,7 @@ define freeradius::client (
$firewall = false,
$ensure = present,
$attributes = [],
$huntgroups = undef,
) {
$fr_package = $::freeradius::params::fr_package
$fr_service = $::freeradius::params::fr_service
......@@ -76,4 +77,12 @@ define freeradius::client (
fail('Must specify $port if you specify $firewall')
}
}
if $huntgroups {
$huntgroups.each |$index, $huntgroup| {
freeradius::huntgroup { "huntgroup.client.${shortname}.${index}":
* => $huntgroup
}
}
}
}
# Install FreeRADIUS huntgroups
define freeradius::huntgroup (
$ensure = present,
$huntgroup = $title,
$conditions = [],
$order = 50,
) {
$fr_basepath = $::freeradius::params::fr_basepath
$fr_service = $::freeradius::params::fr_service
$conditionals = join($conditions, ", ")
$content = "${huntgroup}\t${conditionals}\n"
concat::fragment { "huntgroup.${title}":
ensure => $ensure,
target => "${fr_basepath}/mods-config/preprocess/huntgroups",
content => $content,
order => $order,
notify => Service[$fr_service],
}
}
......@@ -213,6 +213,20 @@ class freeradius (
order => 90,
}
# Install a huntgroups file
concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups":
owner => 'root',
group => $freeradius::fr_group,
mode => '0640',
require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
}
concat::fragment { 'huntgroups_header':
target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups",
source => 'puppet:///modules/freeradius/huntgroups.header',
order => 10,
}
# Install FreeRADIUS packages
package { 'freeradius':
ensure => $package_ensure,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment