This module installs freeradius. The v3 manifests can be used to configure version 3 of freeradius. If an older version of freeradius is being used, rsync can be used to copy over configuration files created outside of Puppet. Rsync can also be used to copy over version 3 files.
This module includes a radiusd site and module that can be used to configure freeradius to work with a LDAP server.
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
This module installs and configures freeradius. Its main purpose is to integrate freeradius with an existing LDAP server. It includes manifests that creates a virtual server (site) that configures freeradius to listen on all available interfaces and authenticate via LDAP.
See REFERENCE.md for more details.
Before using pupmod-simp-freeradius make sure to read the freeradius documentation
Much of the freeradius documentation is in the default configuration files, some of which get overwritten by this module. It could be helpful to extract and store these files in a separate location using the command:
rpm2cpio <free radius rpm> | cpio -idmv- Ensure the freeradius, freeradius-ldap and freeradius-utils packages are available to your package manager.
- Configuration directory:
/etc/raddb - Log Directory:
/var/log/freeradius - Ldap Bind user:
bind_dn - Rsync:
false
This basic setup will configure RADIUS to listen on all interfaces and authenticate using LDAP.
Include the following in your Puppet code:
include 'freeradius'
include 'freeradius::v3::sites::ldap'
include 'freeradius::v3::modules::ldap'If you are using a SIMP system, you can alternatively include the classes via Hiera:
---
simp::classes:
- 'freeradius'
- 'freeradius::v3::sites::ldap'
- 'freeradius::v3::modules::ldap'The default settings for radiusd.conf can be found in
freeradius::v3::conffreeradius::v3::conf::logfreeradius::v3::conf::securityfreeradius::v3::conf::thread_pooland can be changed using Hiera. See REFERENCE.md for more details.
The listener is setup in the freeradius::v3::sites::ldap class. Review that
module if there is a need to change the listener or to use a global listener
instead of one linked to a site.
Client configurations will need to be created to allow clients to talk to the
server. See the default client.conf file installed by freeradius for
information on how to configure clients.
The freeradius::v3::client defined type lets clients be created individually.
Alternatively, a complete clients.conf file can be copied in by specifying
the file source in Hiera with the variable
freeradius::v3::conf::clients_conf_content.
Example clients:
freeradius::v3::client { 'localhost':
ipaddr => '127.0.0.1',
secret => 'testing123',
require_message_authenticator => false,
nas_type => 'other',
}
freeradius::v3::client { 'mynetwork':
ipaddr => '10.0.71.0/24',
secret => 'testing123'
}or to copy over a file with clients defined, set the hiera variable:
---
# The setting is
# freeradius::v3::conf::clients_conf_content: <exact content to add to file>
freeradius::v3::conf::clients_conf_content: >
Your entire
configuration
goes hereThe following configurations are not needed for connection to LDAP. These are a few examples of alternate application configurations.
Other sites and modules you write can be added individually using
freeradius::v3::site or freeradius::v3::module. In both cases, you specify
the source file to be copied. For example, to specify a custom site:
freeradius::v3::site { 'mysite':
source => puppet::///modules/mymodule/freeradius/mysite,
enable => true
}Existing sites that are in the sites-available directory can be added using
freeradius::v3::site { 'inner-triggers':
enable => true
}This will create the link and, if manage_sites_enabled is set to true, it
will not be removed.
See the sites-available and mods-available directories on your system for
examples and information on how to build the content of these files.
If enabled, Freeradius will use the
/var/simp/environments/<os>/Global/freeradius share on the SIMP rsync
server. This allows for large or complex configurations that may not be
appropriate for inclusion directly into puppet File resources.
Files in this directory will be copied via rsync to /etc/raddb. Make sure
all permissions are correct, including the SELinux context.
In Hiera:
freeradius::use_rsync: trueRsync will copy over all the files and overwrite anything that already exists. It will not purge any files.
Please read our Contribution Guide.
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suitesPlease refer to the SIMP Beaker Helpers documentation for more information.