Unverified Commit a137f477 authored by Jonathan's avatar Jonathan Committed by GitHub
Browse files

Merge pull request #93 from sts/master

Add puppet class for huntgroups
parents 0a9e0b27 d2b38ef2
Loading
Loading
Loading
Loading
+40 −0
Original line number Diff line number Diff line
@@ -277,6 +277,18 @@ freeradius::client { "wlan-controllers":
}
```

```puppet
# Huntgroup Example
freeradius::client { "asa01":
  ip         => '192.168.0.1',
  secret     => 'testing123',
  huntgroups => [
    { name       => 'firewall',
      conditions => [ 'NAS-IP-Address == 192.168.0.1' ] },
  ]
}
```

##### `ip`
The IP address of the client or range in CIDR format. For IPv6, use `ipv6addr`. `ip` and `ip6` are mutually exclusive but one must be supplied.
Default: `undef`.
@@ -332,6 +344,10 @@ Create a firewall exception for this virtual server. If this is set to `true`, y
##### `attributes`
Array of attributes to assign to this client. Default: empty.


##### `huntgroups`
Array of hashes, each hash defines one freeradius::huntgroup. Hash keys are all passed to a new instance of freeradius::huntgroup.

#### `freeradius::config`

Install arbitrary config snippets from a flat file. These are installed in `/etc/raddb/conf.d`
@@ -440,6 +456,30 @@ fallback, such as the DEFAULT realm.
For reasons of stability, this home server SHOULD be a virtual server. Otherwise, the fallback may itself be dead!


#### `freeradius::huntgroup`

Define a huntgroup given a name and the conditions under which a huntgroup matches a client.

```puppet
freeradius::huntgroup { 'switchaccess':
  huntgroup  => 'switchaccess',
  conditions => [
    'NAS-IP-Address == 192.168.0.1'
  ]
}

##### `huntgroup`
Name of the huntgroup to assign, if conditions are all met. Default to the resource title.

##### `conditons`
Array of conditions which are used to match the client, each element should contain a condition in the form of 'Key == Value'.

##### `type`


##### `home_server`


#### `freeradius::instantiate`

Instantiate a module that is not automatically instantiated.
+46 −0
Original line number Diff line number Diff line
#
# huntgroups    This file defines the `huntgroups' that you have. A
#        huntgroup is defined by specifying the IP address of
#        the NAS and possibly a port range. Port can be identified
#        as just one port, or a range (from-to), and multiple ports
#        or ranges of ports must be separated by a comma. For
#        example: 1,2,3-8
#
#        Matching is done while RADIUS scans the user file; if it
#        includes the selection criterium "Huntgroup-Name == XXX"
#        the huntgroup is looked up in this file to see if it
#        matches. There can be multiple definitions of the same
#        huntgroup; the first one that matches will be used.
#
#        This file can also be used to define restricted access
#        to certain huntgroups. The second and following lines
#        define the access restrictions (based on username and
#        UNIX usergroup) for the huntgroup.
#

#
# Our POP in Alphen a/d Rijn has 3 terminal servers. Create a Huntgroup-Name
# called Alphen that matches on all three terminal servers.
#
#alphen        NAS-IP-Address == 192.0.2.5
#alphen        NAS-IP-Address == 192.0.2.6
#alphen        NAS-IP-Address == 192.0.2.7

#
# The POP in Delft consists of only one terminal server.
#
#delft        NAS-IP-Address == 198.51.100.5

#
# Ports 0-7 on the first terminal server in Alphen are connected to
# a huntgroup that is for business users only. Note that only one
# of the username or groupname has to match to get access (OR/OR).
#
# Note that this huntgroup is a subset of the "alphen" huntgroup.
#
#business    NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7
#        User-Name = rogerl,
#        User-Name = henks,
#        Group = business,
#        Group = staff
+9 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ define freeradius::client (
  $firewall                      = false,
  $ensure                        = present,
  $attributes                    = [],
  $huntgroups                    = undef,
) {
  $fr_package  = $::freeradius::params::fr_package
  $fr_service  = $::freeradius::params::fr_service
@@ -76,4 +77,12 @@ define freeradius::client (
      fail('Must specify $port if you specify $firewall')
    }
  }

  if $huntgroups {
    $huntgroups.each |$index, $huntgroup| {
      freeradius::huntgroup { "huntgroup.client.${shortname}.${index}":
        * => $huntgroup
      }
    }
  }
}

manifests/huntgroup.pp

0 → 100644
+22 −0
Original line number Diff line number Diff line
# Install FreeRADIUS huntgroups
define freeradius::huntgroup (
  $ensure      = present,
  $huntgroup   = $title,
  $conditions  = [],
  $order       = 50,
) {
  $fr_basepath = $::freeradius::params::fr_basepath
  $fr_service  = $::freeradius::params::fr_service

  $conditionals = join($conditions, ", ")

  $content    = "${huntgroup}\t${conditionals}\n"

  concat::fragment { "huntgroup.${title}":
    ensure  => $ensure,
    target  => "${fr_basepath}/mods-config/preprocess/huntgroups",
    content => $content,
    order   => $order,
    notify  => Service[$fr_service],
  }
}
+14 −0
Original line number Diff line number Diff line
@@ -213,6 +213,20 @@ class freeradius (
    order  => 90,
  }

  # Install a huntgroups file
  concat { "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups":
    owner   => 'root',
    group   => $freeradius::fr_group,
    mode    => '0640',
    require => [Package[$freeradius::fr_package], Group[$freeradius::fr_group]],
  }
  concat::fragment { 'huntgroups_header':
    target => "${freeradius::fr_basepath}/mods-config/preprocess/huntgroups",
    source => 'puppet:///modules/freeradius/huntgroups.header',
    order  => 10,
  }


  # Install FreeRADIUS packages
  package { 'freeradius':
    ensure => $package_ensure,