Skip to content

GitLab

Commit d857d620 authored by Nathan Ward's avatar Nathan Ward
Browse files

Update templates to be based on FreeRADIUS 3.0.21 config files 

Fix indent things

Revert
parent c2d1984e
Expand all Hide whitespace changes
Inline Side-by-side
spec/defines/krb5_spec.rb
View file @ d857d620
......@@ -14,7 +14,8 @@ describe 'freeradius::krb5' do
it do
is_expected.to contain_file('/etc/raddb/mods-available/test')
.with_content(%r{^krb5 test \{\n\s+keytab = test_keytab\n\s+service_principal = test_principal\n})
.with_content(%r{^\s+keytab = test_keytab$})
.with_content(%r{^\s+service_principal = test_principal$})
.with_ensure('present')
.with_group('radiusd')
.with_mode('0640')
......
templates/attr_default.erb
View file @ d857d620
# -*- text -*-
#
# $Id$
# $Id: 1caff077b2429c948a04777fcd619be901ac83dc $
#
# This file defines a number of instances of the "attr_filter" module.
......
templates/detail.erb
View file @ d857d620
# File managed by puppet
##############################################################
# -*- text -*-
#
# $Id: e91e12d0b4de8f3cb084c179b321924d0248cfbb $
# Write a detailed log of all accounting records received.
#
detail <%= @name %> {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want
# to add a ':%H' (see doc/variables.txt) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
filename = <%= @filename %>
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# NOT from the proxy which actually sent us the
# request.
#
# The following line creates a new detail file for
# every radius client (by IP address or hostname).
# In addition, a new detail file is created every
# day, so that the detail file doesn't have to go
# through a 'log rotation'
#
# If your detail files are large, you may also want to add
# a ':%H' (see doc/configuration/variables.rst) to the end
# of it, to create a new detail file every hour, e.g.:
#
# ..../detail-%Y%m%d:%H
#
# This will create a new detail file for every hour.
#
# If you are reading detail files via the "listen" section
# (e.g. as in raddb/sites-available/robust-proxy-accounting),
# you MUST use a unique directory for each combination of a
# detail file writer, and reader. That is, there can only
# be ONE "listen" section reading detail files from a
# particular directory.
#
# filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
filename = <%= @filename %>
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# If you are using radrelay, delete the above line for "file",
# and use this one instead:
#
# filename = ${radacctdir}/detail
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
# escape_filenames = no
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
permissions = <%= @permissions %>
#
# The Unix-style permissions on the 'detail' file.
#
# The detail file often contains secret or private
# information about users. So by keeping the file
# permissions restrictive, we can prevent unwanted
# people from seeing that information.
# permissions = 0600
permissions = <%= @permissions %>
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
# group = ${security.group}
<%- if @group -%>
# The Unix group of the log file.
#
# The user that the server runs as must be in the specified
# system group otherwise this will fail to work.
#
group = <%= @group %>
group = <%= @group %>
<%- end -%>
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/variables.txt" for a description
# of what can be put here.
#
header = "<%= @header %>"
#
# Every entry in the detail file has a header which
# is a timestamp. By default, we use the ctime
# format (see "man ctime" for details).
#
# The header can be customised by editing this
# string. See "doc/configuration/variables.rst" for a
# description of what can be put here.
#
# header = "%t"
header = "<%= @header %>"
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
# locking = yes
<%- if @locking -%>
#
# Uncomment this line if the detail file reader will be
# reading this detail file.
#
locking = <%= @locking == true %>
locking = <%= @locking == true %>
<%- end -%>
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
# log_packet_header = yes
<%- if @log_packet_header -%>
#
# Log the Packet src/dst IP/port. This is disabled by
# default, as that information isn't used by many people.
#
log_packet_header = <%= @log_packet_header == true %>
log_packet_header = <%= @log_packet_header == true %>
<%- end -%>
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
#suppress {
# User-Password
#}
<%- if !@suppress.empty? -%>
#
# Certain attributes such as User-Password may be
# "sensitive", so they should not be printed in the
# detail file. This section lists the attributes
# that should be suppressed.
#
# The attributes should be listed one to a line.
#
suppress {
<%= @suppress.join("\n ") %>
}
suppress {
<%= @suppress.join("\n\t\t") %>
}
<%- end -%>
}
templates/dictionary.erb
View file @ d857d620
#
# This is the master dictionary file, which references the
# pre-defined dictionary files included with the server.
# This is the local dictionary file which can be
# edited by local administrators. It will be loaded
# AFTER the main dictionary files are loaded.
#
# Any new/changed attributes MUST be placed in this file, as
# the pre-defined dictionaries SHOULD NOT be edited.
# As of version 3.0.2, FreeRADIUS will automatically
# load the main dictionary files from
#
# $Id$
# ${prefix}/share/freeradius/dictionary
#
# It is no longer necessary for this file to $INCLUDE
# the main dictionaries. However, if the $INCLUDE
# line is here, nothing bad will happen.
#
# The filename given here should be an absolute path.
# Any new/changed attributes MUST be placed in this file.
# The pre-defined dictionaries SHOULD NOT be edited.
#
$INCLUDE /usr/share/freeradius/dictionary
$INCLUDE <%= @fr_basepath %>/dictionary.custom
# See "man dictionary" for documentation on its format.
#
# Place additional attributes or $INCLUDEs here. They will
# over-ride the definitions in the pre-defined dictionaries.
# $Id: eed5d70f41b314f9ed3f006a22d9f9a2be2c9516 $
#
# See the 'man' page for 'dictionary' for information on
# the format of the dictionary files.
#
# All local attributes and $INCLUDE's should go into
# this file.
#
$INCLUDE <%= @fr_basepath %>/dictionary.custom
# If you want to add entries to the dictionary file,
# which are NOT going to be placed in a RADIUS packet,
# add them here. The numbers you pick should be between
# 3000 and 4000.
# add them to the 'dictionary.local' file.
#
# The numbers you pick should be between 3000 and 4000.
# These attributes will NOT go into a RADIUS packet.
#
# If you want that, you will need to use VSAs. This means
# requesting allocation of a Private Enterprise Code from
# http://iana.org. We STRONGLY suggest doing that only if
# you are a vendor of RADIUS equipment.
#
# See RFC 6158 for more details.
# http://ietf.org/rfc/rfc6158.txt
#
#
# These attributes are examples
#
#ATTRIBUTE My-Local-String 3000 string
#ATTRIBUTE My-Local-IPAddr 3001 ipaddr
#ATTRIBUTE My-Local-Integer 3002 integer
templates/eap.erb
View file @ d857d620
This diff is collapsed.
templates/files.erb
View file @ d857d620
# This file is managed by Puppet. DO NOT EDIT.
# -*- text -*-
#
# $Id: e3f3bf568d92eba8eb17bbad590f846f2d9e1ac8 $
# Livingston-style 'users' file
#
......@@ -10,32 +11,37 @@ files {
<%- else -%>
files <%= @name %> {
<%- end -%>
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = <%= @moddir %>
# Search for files in a subdirectory of mods-config which
# matches this instance of the files module.
moddir = <%= @moddir %>
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
#key = "%{%{Stripped-User-Name}:-%{User-Name}}"
<%- if @key -%>
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
key = "<%= @key %>"
key = "<%= @key %>"
<%- end -%>
# The old "users" style file is now located here.
filename = <%= @filename %>
# The old "users" style file is now located here.
# filename = ${moddir}/authorize
filename = <%= @filename %>
# This is accepted for backwards compatibility
# It will be removed in a future release.
# usersfile = ${moddir}/authorize
<%- if @usersfile -%>
# This is accepted for backwards compatibility
# It will be removed in a future release.
usersfile = <%= @usersfile %>
usersfile = <%= @usersfile %>
<%- end -%>
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
# These are accepted for backwards compatibility.
# They will be renamed in a future release.
# acctusersfile = ${moddir}/accounting
# preproxy_usersfile = ${moddir}/pre-proxy
<%- if @acctusersfile -%>
acctusersfile = ${moddir}/accounting
acctusersfile = ${moddir}/accounting
<%- end -%>
<%- if @preproxy_usersfile -%>
preproxy_usersfile = ${moddir}/pre-proxy
preproxy_usersfile = ${moddir}/pre-proxy
<%- end -%>
}
templates/ippool.erb
View file @ d857d620
<%- require 'ipaddr' -%>
# -*- text -*-
#
# $Id: 1d3305ba45ec71336f55f8f1db05f183772e1b82 $
# Do server side ip pool management. Should be added in
# post-auth and accounting sections.
#
......@@ -13,56 +18,58 @@
#
# Example:
# radiusd.conf: ippool students { [...] }
# ippool teachers { [...] }
# ippool teachers { [...] }
# users file : DEFAULT Group == students, Pool-Name := "students"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
# DEFAULT Group == teachers, Pool-Name := "teachers"
# DEFAULT Group == other, Pool-Name := "DEFAULT"
#
# Note: If you change the range parameters you must then erase the
# db files.
#
ippool <%= @name %> {
# The main db file used to allocate addresses.
filename = <%= @filename %>
# The main db file used to allocate addresses.
filename = <%= @filename %>
# The start and end ip addresses for this pool.
range_start = <%= @range_start %>
range_stop = <%= @range_stop %>
# The start and end ip addresses for this pool.
range_start = <%= @range_start %>
range_stop = <%= @range_stop %>
# The network mask used for this pool.
netmask = <%= @netmask %>
# The network mask used for this pool.
netmask = <%= @netmask %>
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = <%= @real_cache_size %>
# The gdbm cache size for the db files. Should
# be equal to the number of ip's available in
# the ip pool
cache_size = <%= @real_cache_size %>
# Helper db index file used in multilink
# Helper db index file used in multilink
# ip_index = ${db_dir}/db.ipindex
<%- if @ip_index -%>
ip_index = <%= @ip_index %>
ip_index = <%= @ip_index %>
<%- else -%>
ip_index = ${db_dir}/db.<%= @name %>.index
ip_index = ${db_dir}/db.<%= @name %>.index
<%- end -%>
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = <%= @override %>
# If set, the Framed-IP-Address already in the
# reply (if any) will be discarded, and replaced
# ith a Framed-IP-Address assigned here.
override = <%= @override %>
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = <%= @maximum_timeout %>
# Specifies the maximum time in seconds that an
# entry may be active. If set to zero, means
# "no timeout". The default value is 0
maximum_timeout = <%= @maximum_timeout %>
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
# key = "%{NAS-IP-Address} %{NAS-Port}"
<%- if @key -%>
# The key to use for the session database (which
# holds the allocated ip's) normally it should
# just be the nas ip/port (which is the default).
#
# If your NAS sends the same value of NAS-Port
# all requests, the key should be based on some
# other attribute that is in ALL requests, AND
# is unique to each machine needing an IP address.
key = "<%= @key %>"
key = "<%= @key %>"
<%- end -%>
}
templates/krb5.erb
View file @ d857d620
# -*- text -*-
#
# $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $
# $Id: c88b5fbb4b35cc4e61bfb93a616d891fb79ebc0c $
#
# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
#
krb5 <%= @name %> {
#
# The keytab file MUST be owned by the UID/GID used by the server.
# The keytab file MUST be writable by the server.
# The keytab file MUST NOT be readable by other users on the system.
# The keytab file MUST exist before the server is started.
#
# keytab = ${localstatedir}/lib/radiusd/keytab
# service_principal = name_of_principle
keytab = <%= @keytab %>
service_principal = <%= @principal %>
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Number of connections to start
# Pool of krb5 contexts, this allows us to make the module multithreaded
# and to avoid expensive operations like resolving and opening keytabs
# on every request. It may also allow TCP connections to the KDC to be
# cached if that is supported by the version of libkrb5 used.
#
# The context pool is only used if the underlying libkrb5 reported
# that it was thread safe at compile time.
#
pool {
# Connections to create during module instantiation.
# If the server cannot create specified number of
# connections during instantiation it will exit.
# Set to 0 to allow the server to start without the
# KDC being available.
# start = ${thread[pool].start_servers}
start = <%= @start %>
# Minimum number of connections to keep open
# Minimum number of connections to keep open
# min = ${thread[pool].min_spare_servers}
min = <%= @min %>
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# NOTE: This should be greater than or equal to "min" above.
# Maximum number of connections
#
# If these connections are all in use and a new one
# is requested, the request will NOT get a connection.
#
# Setting 'max' to LESS than the number of threads means
# that some threads may starve, and you will see errors
# like 'No connections available and at max connection limit'
#
# Setting 'max' to MORE than the number of threads means
# that there are more connections than necessary.
# max = ${thread[pool].max_servers}
max = <%= @max %>
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
# Spare connections to be left idle
#
# NOTE: Idle connections WILL be closed if "idle_timeout"
# is set. This should be less than or equal to "max" above.
# spare = ${thread[pool].max_spare_servers}
spare = <%= @spare %>
# Number of uses before the connection is closed
#
# NOTE: A setting of 0 means infinite (no limit).
uses = 0
# Number of uses before the connection is closed
#
# 0 means "infinite"
uses = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The lifetime (in seconds) of the connection
#
# NOTE: A setting of 0 means infinite (no limit).
lifetime = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# The idle timeout (in seconds). A connection which is
# unused for this length of time will be closed.
#
# NOTE: A setting of 0 means infinite (no timeout).
idle_timeout = 0
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
# NOTE: All configuration settings are enforced. If a
# connection is closed because of "idle_timeout",
# "uses", or "lifetime", then the total number of
# connections MAY fall below "min". When that
# happens, it will open a new connection. It will
# also log a WARNING message.
#
# The solution is to either lower the "min" connections,
# or increase lifetime/idle_timeout.
}
}
templates/ldap.erb
View file @ d857d620
This diff is collapsed.
templates/linelog.erb
View file @ d857d620
# This file is managed by Puppet. DO NOT EDIT.
# -*- text -*-
#
# $Id: dc2a8195b3c1c2251fc37651ea4a598898c33d12 $
#
# The "linelog" module will log one line of text to a file.
......@@ -13,146 +14,174 @@ linelog {
<%- else -%>
linelog <%= @name %> {
<%- end -%>
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = <%= @filename %>
#
# The file where the logs will go.
#
# If the filename is "syslog", then the log messages will
# go to syslog.
filename = <%= @filename %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# Most file systems can handly nearly the full range of UTF-8
# characters. Ones that can deal with a limited range should
# set this to "yes".
#
escape_filenames = <%= @escape_filenames %>
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = <%= @permissions %>
#
# The Unix-style permissions on the log file.
#
# Depending on format string, the log file may contain secret or
# private information about users. Keep the file permissions as
# restrictive as possible.
permissions = <%= @permissions %>