Remove FR2 support from ldap module

ae66f489 · Jonathan Gazeley · c3e3983f · ae66f489 · ae66f489 · c3e3983f
Commit ae66f489 authored Feb 1, 2016 by Jonathan Gazeley
--- a/manifests/ldap.pp
+++ b/manifests/ldap.pp
@@ -25,7 +25,6 @@ define freeradius::ldap (
  $fr_service          = $::freeradius::params::fr_service
  $fr_modulepath       = $::freeradius::params::fr_modulepath
  $fr_group            = $::freeradius::params::fr_group
-  $fr_version          = $::freeradius::params::fr_version

  # Validate our inputs
  # Hostnames
@@ -70,7 +69,7 @@ define freeradius::ldap (
    mode    => '0640',
    owner   => 'root',
    group   => $fr_group,
-    content => template("freeradius/ldap.fr${fr_version}.erb"),
+    content => template("freeradius/ldap.erb"),
    require => [Package[$fr_package], Group[$fr_group]],
    notify  => Service[$fr_service],
  }

--- a/templates/ldap.fr3.erb
+++ b/templates/ldap.fr3.erb
--- a/templates/ldap.fr2.erb
+++ b/templates/ldap.fr2.erb
-# -*- text -*-
-#
-#  $Id$
-
-# Lightweight Directory Access Protocol (LDAP)
-#
-#  This module definition allows you to use LDAP for
-#  authorization and authentication.
-#
-#  See raddb/sites-available/default for reference to the
-#  ldap module in the authorize and authenticate sections.
-#
-#  However, LDAP can be used for authentication ONLY when the
-#  Access-Request packet contains a clear-text User-Password
-#  attribute.  LDAP authentication will NOT work for any other
-#  authentication method.
-#
-#  This means that LDAP servers don't understand EAP.  If you
-#  force "Auth-Type = LDAP", and then send the server a
-#  request containing EAP authentication, then authentication
-#  WILL NOT WORK.
-#
-#  The solution is to use the default configuration, which does
-#  work.
-#
-#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
-#  really can't emphasize this enough.
-#	
-ldap <%= @name %> {
-	#
-	#  Note that this needs to match the name in the LDAP
-	#  server certificate, if you're using ldaps.
-<% @serverarray.each do |srv| -%>	server = "<%= srv %>"
-<% end -%>
-	identity = "<%= @identity %>"
-	password = <%= @password %>
-	basedn = "<%= @basedn %>"
-	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
-	#base_filter = "(objectclass=radiusprofile)"
-
-	#  How many connections to keep open to the LDAP server.
-	#  This saves time over opening a new LDAP socket for
-	#  every authentication request.
-	ldap_connections_number = <%= @max %>
-
-	#  How many times the connection can be used before
-	#  being re-established. This is useful for things
-	#  like load balancers, which may exhibit sticky
-	#  behaviour without it. (0) is unlimited.
-	max_uses = <%= @uses %>
-
-	#  Port to connect on, defaults to 389. Setting this to
-	#  636 will enable LDAPS if start_tls (see below) is not
-	#  able to be used.
-	port = <%= @port %>
-
-	# seconds to wait for LDAP query to finish. default: 20
-	timeout = <%= @timeout %>
-
-	#  seconds LDAP server has to process the query (server-side
-	#  time limit). default: 20
-	#
-	#  LDAP_OPT_TIMELIMIT is set to this value.
-	timelimit = 3
-
-	#
-	#  seconds to wait for response of the server. (network
-	#   failures) default: 10
-	#
-	#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
-	net_timeout = 1
-
-	#
-	#  This subsection configures the tls related items
-	#  that control how FreeRADIUS connects to an LDAP
-	#  server.  It contains all of the "tls_*" configuration
-	#  entries used in older versions of FreeRADIUS.  Those
-	#  configuration entries can still be used, but we recommend
-	#  using these.
-	#
-	tls {
-		# Set this to 'yes' to use TLS encrypted connections
-		# to the LDAP database by using the StartTLS extended
-		# operation.
-		#			
-		# The StartTLS operation is supposed to be
-		# used with normal ldap connections instead of
-		# using ldaps (port 636) connections
-		start_tls = <%= @starttls %>
-
-<% if @cafile -%>		cacertfile	= <%= @cafile %><% end %>
-		# cacertdir	= /path/to/ca/dir/
-<% if @certfile -%>		certfile	= <%= @certfile %><% end %>
-<% if @keyfile -%>		keyfile		= <%= @keyfile %><% end %>
-		# randfile	= /path/to/rnd
-
-		#  Certificate Verification requirements.  Can be:
-		#    "never" (don't even bother trying)
-		#    "allow" (try, but don't fail if the cerificate
-		#		can't be verified)
-		#    "demand" (fail if the certificate doesn't verify.)
-		#
-		#	The default is "allow"
-		require_cert	= "<%= @requirecert %>"
-	}
-
-	# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
-	# profile_attribute = "radiusProfileDn"
-	# access_attr = "dialupAccess"
-
-	# Mapping of RADIUS dictionary attributes to LDAP
-	# directory attributes.
-	dictionary_mapping = ${confdir}/ldap.attrmap
-
-	#  Set password_attribute = nspmPassword to get the
-	#  user's password from a Novell eDirectory
-	#  backend. This will work ONLY IF FreeRADIUS has been
-	#  built with the --with-edir configure option.
-	#
-	#  See also the following links:
-	#
-	#  http://www.novell.com/coolsolutions/appnote/16745.html
-	#  https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
-	#
-	#  Novell may require TLS encrypted sessions before returning
-	#  the user's password.
-	#
-	# password_attribute = userPassword
-
-	#  Un-comment the following to disable Novell
-	#  eDirectory account policy check and intruder
-	#  detection. This will work *only if* FreeRADIUS is
-	#  configured to build with --with-edir option.
-	#
-	edir_account_policy_check = no
-
-	#
-	#  Group membership checking.  Disabled by default.
-	#
-	# groupname_attribute = cn
-	# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
-	# groupmembership_attribute = radiusGroupName
-
-	# compare_check_items = yes
-	# do_xlat = yes
-	# access_attr_used_for_allow = yes
-
-	#
-	#  The following two configuration items are for Active Directory
-	#  compatibility.  If you see the helpful "operations error"
-	#  being returned to the LDAP module, uncomment the next
-	#  two lines.
-	#
-	chase_referrals = yes
-	rebind = yes
-
-	#
-	#  By default, if the packet contains a User-Password,
-	#  and no other module is configured to handle the
-	#  authentication, the LDAP module sets itself to do
-	#  LDAP bind for authentication.
-	#
-	#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
-	#
-	#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). 
-	#
-	#  You can disable this behavior by setting the following
-	#  configuration entry to "no".
-	#
-	#  allowed values: {no, yes}
-	# set_auth_type = yes
-
-	#  ldap_debug: debug flag for LDAP SDK
-	#  (see OpenLDAP documentation).  Set this to enable
-	#  huge amounts of LDAP debugging on the screen.
-	#  You should only use this if you are an LDAP expert.
-	#
-	#	default: 0x0000 (no debugging messages)
-	#	Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
-	#ldap_debug = 0x0028 
-
-	#
-	#  Keepalive configuration.  This MAY NOT be supported by your
-	#  LDAP library.  If these configuration entries appear in the
-	#  output of "radiusd -X", then they are supported.  Otherwise,
-	#  they are unsupported, and changing them will do nothing.
-	#
-	keepalive {
-		# LDAP_OPT_X_KEEPALIVE_IDLE
-		idle = <%= @idle %>
-
-		# LDAP_OPT_X_KEEPALIVE_PROBES
-		probes = <%= @probes %>
-
-		# LDAP_OPT_X_KEEPALIVE_INTERVAL
-		interval = <%= @interval %>
-	}
-}