Commit d857d620 authored by Nathan Ward's avatar Nathan Ward
Browse files

Update templates to be based on FreeRADIUS 3.0.21 config files

Fix indent things

Revert
parent c2d1984e
......@@ -14,7 +14,8 @@ describe 'freeradius::krb5' do
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^krb5 test \{\n\s+keytab = test_keytab\n\s+service_principal = test_principal\n})
.with_content(%r{^\s+keytab = test_keytab$})
.with_content(%r{^\s+service_principal = test_principal$})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
......
# -*- text -*-
#
# $Id$
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
#
# This file defines a number of instances of the "attr_filter" module.
......
# File managed by puppet
##############################################################
# -*- text -*-
#
# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $
# Write a detailed log of all accounting records received.
#
detail <%= @name %> {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
filename = <%= @filename %>
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
filename = <%= @filename %>
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
# escape_filenames = no
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = <%= @permissions %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
# permissions = 0600
permissions = <%= @permissions %>
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
<%- if @group -%>
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
group = <%= @group %>
group = <%= @group %>
<%- end -%>
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "<%= @header %>"
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
# header = "%t"
header = "<%= @header %>"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
<%- if @locking -%>
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
locking = <%= @locking == true %>
locking = <%= @locking == true %>
<%- end -%>
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
<%- if @log_packet_header -%>
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
log_packet_header = <%= @log_packet_header == true %>
log_packet_header = <%= @log_packet_header == true %>
<%- end -%>
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
<%- if !@suppress.empty? -%>
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
suppress {
<%= @suppress.join("\n ") %>
}
suppress {
<%= @suppress.join("\n\t\t") %>
}
<%- end -%>
}
#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# $Id$
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# The filename given here should be an absolute path.
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
$INCLUDE /usr/share/freeradius/dictionary
$INCLUDE <%= @fr_basepath %>/dictionary.custom
# See "man dictionary" for documentation on its format.
#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.
#
# All local attributes and $INCLUDE's should go into
# this file.
#
$INCLUDE <%= @fr_basepath %>/dictionary.custom
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer
This diff is collapsed.
# This file is managed by Puppet. DO NOT EDIT.
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
......@@ -10,32 +11,37 @@ files {
<%- else -%>
files <%= @name %> {
<%- end -%>
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = <%= @moddir %>
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = <%= @moddir %>
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
<%- if @key -%>
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
key = "<%= @key %>"
key = "<%= @key %>"
<%- end -%>
# The old "users" style file is now located here.
filename = <%= @filename %>
# The old "users" style file is now located here.
# filename = ${moddir}/authorize
filename = <%= @filename %>
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
<%- if @usersfile -%>
# This is accepted for backwards compatibility
# It will be removed in a future release.
usersfile = <%= @usersfile %>
usersfile = <%= @usersfile %>
<%- end -%>
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
# acctusersfile = ${moddir}/accounting
# preproxy_usersfile = ${moddir}/pre-proxy
<%- if @acctusersfile -%>
acctusersfile = ${moddir}/accounting
acctusersfile = ${moddir}/accounting
<%- end -%>
<%- if @preproxy_usersfile -%>
preproxy_usersfile = ${moddir}/pre-proxy
preproxy_usersfile = ${moddir}/pre-proxy
<%- end -%>
}
<%- require 'ipaddr' -%>
# -*- text -*-
#
# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
......@@ -13,56 +18,58 @@
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool <%= @name %> {
# The main db file used to allocate addresses.
filename = <%= @filename %>
# The main db file used to allocate addresses.
filename = <%= @filename %>
# The start and end ip addresses for this pool.
range_start = <%= @range_start %>
range_stop = <%= @range_stop %>
# The start and end ip addresses for this pool.
range_start = <%= @range_start %>
range_stop = <%= @range_stop %>
# The network mask used for this pool.
netmask = <%= @netmask %>
# The network mask used for this pool.
netmask = <%= @netmask %>
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = <%= @real_cache_size %>
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = <%= @real_cache_size %>
# Helper db index file used in multilink
# Helper db index file used in multilink
# ip_index = ${db_dir}/db.ipindex
<%- if @ip_index -%>
ip_index = <%= @ip_index %>
ip_index = <%= @ip_index %>
<%- else -%>
ip_index = ${db_dir}/db.<%= @name %>.index
ip_index = ${db_dir}/db.<%= @name %>.index
<%- end -%>
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = <%= @override %>
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = <%= @override %>
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = <%= @maximum_timeout %>
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = <%= @maximum_timeout %>
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
<%- if @key -%>
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
key = "<%= @key %>"
key = "<%= @key %>"
<%- end -%>
}
# -*- text -*-
#
# $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $
# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 <%= @name %> {
#
# The keytab file MUST be owned by the UID/GID used by the server.
# The keytab file MUST be writable by the server.
# The keytab file MUST NOT be readable by other users on the system.
# The keytab file MUST exist before the server is started.
#
# keytab = ${localstatedir}/lib/radiusd/keytab
# service_principal = name_of_principle
keytab = <%= @keytab %>
service_principal = <%= @principal %>
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Number of connections to start
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# KDC being available.
# start = ${thread[pool].start_servers}
start = <%= @start %>
# Minimum number of connections to keep open
# Minimum number of connections to keep open
# min = ${thread[pool].min_spare_servers}
min = <%= @min %>
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# NOTE: This should be greater than or equal to "min" above.
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
# max = ${thread[pool].max_servers}
max = <%= @max %>
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
# spare = ${thread[pool].max_spare_servers}
spare = <%= @spare %>
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
This diff is collapsed.
# This file is managed by Puppet. DO NOT EDIT.
# -*- text -*-
#
# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
......@@ -13,146 +14,174 @@ linelog {
<%- else -%>
linelog <%= @name %> {
<%- end -%>
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = <%= @filename %>
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = <%= @filename %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = <%= @permissions %>
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = <%= @permissions %>