Skip to content

Latest commit

 

History

History
2062 lines (1054 loc) · 52.3 KB

REFERENCE.md

File metadata and controls

2062 lines (1054 loc) · 52.3 KB
Raw

Reference

Table of Contents

Classes

Defined types

Data types

Classes

freeradius

The freeradius class.

Parameters

The following parameters are available in the freeradius class:

firewall

Data type: Boolean

If true set rules to open ports on firewall

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false})

freeradius_name

Data type: String

Name of the package

Default value: 'freeradius'

user

Data type: String

Default value: 'radiusd'

uid

Data type: Integer

Default value: 95

group

Data type: String

Default value: 'radiusd'

gid

Data type: Integer

The user and group information for the local system that is used to run freeradius.

Default value: 95

sysconfdir

Data type: Stdlib::Absolutepath

Top level configuration directory.

Default value: '/etc'

confdir

Data type: Stdlib::Absolutepath

The configuration directories where the radius files are kept.

Default value: "${sysconfdir}/raddb"

logdir

Data type: Stdlib::Absolutepath

freeradius log directory

Default value: '/var/log/freeradius'

testcerts

Data type: Boolean

Whether or not freeradius should generate test certs at installation time.

Default value: false

use_rsync

Data type: Boolean

If true rsync will be used to copy configuration files into place. The other configuration manifests only work with freeradius version 3 or later, if you are using an earlier version you will need to copy files this way. rsync will not remove any files so you can use a combination of rsync and manifests.

Default value: false

package_ensure

Data type: String

String to pass to the freeradius package ensure attribute

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

manage_sites_enabled

Data type: Boolean

If true then only sites managed by puppet will be allowed in the sites-enabled directory. Files that are rsync'd are not "managed" by puppet. Use the freeradius::v3::site define or a file resource to create sites.

Default value: false

pki

Data type: Variant[Boolean,Enum['simp']]

Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })

fips

Data type: Boolean

Default value: simplib::lookup('simp_options::fips', {'default_value' => false })

app_pki_dir

Data type: Stdlib::Absolutepath

Default value: '/etc/pki/simp_apps/freeradius/x509'

app_pki_cert

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub"

app_pki_key

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem"

app_pki_ca

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/cacerts/cacerts.pem"

app_pki_ca_dir

Data type: Stdlib::Absolutepath

Default value: "${app_pki_dir}/cacerts"

app_pki_external_source

Data type: Stdlib::Absolutepath

Default value: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' })

freeradius::config

rsync content or create content

freeradius::config::rsync

remove any other files that exist in that directory

The defaults in this module use the freeradius share set up by the simp-simp module in the simp::server::rsync_shares manifest

== Parameters

Parameters

The following parameters are available in the freeradius::config::rsync class:

rsync_source

Data type: String

The source on the rsync server

Default value: "freeradius_${facts['environment']}_${facts['os']['name']}/"

rsync_server

Data type: Simplib::Host

Default: 127.0.0.1 If $use_rsync_radiusd_conf is true, specify the rsync server from which to pull here.

Default value: simplib::lookup('simp_options::rsync::server', { 'default_value' => '127.0.0.1'})

radius_rsync_user

Data type: String

Since radius holds sensitive information, the rsync space should be accordingly protected. This has been designed with the assuption that you will utilize the internal simplib::passgen mechanism to set the password. You can optionally specify $radius_rsync_password

Default value: "freeradius_systems_${facts['environment']}_${facts['os']['name'].downcase}"

radius_rsync_password

Data type: String

If no password is specified, simplib::passgen will be used

Default value: simplib::passgen($radius_rsync_user)

rsync_timeout

Data type: Integer

Default: '2' If $use_rsync_radiusd_conf is true, specify the rsync connection timeout here.

Default value: simplib::lookup('simp_options::rsync::timeout', { 'default_value' => 2})

rsync_bwlimit

Data type: Optional[Integer]

rsync bandwidth limit

Default value: undef

freeradius::install

Install the freeradius server

freeradius::service

Configure the radiusd service

freeradius::v3::conf

@summary configure the radiusd.conf file

If clients_conf_content is set, it will add that content to the clients.conf file and include it in the source. Otherwise it includes clients.d/* and clients will have to be set up using the v3/client class.

If trigger_conf_content is set it will add that content to trigger.conf and include this file in the radius.conf.

Freeradius Parameters

The following parameters are settings in the radius.conf file.

@see radiusd.conf(5) for additional information.

@see Extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv for detailed information on the parameters.

SIMP-Related Parameters

These parameters are effective in a larger SIMP installation

Custom Content Parameters

These parameters add custom content to various parts of the configuration.

Parameters

The following parameters are available in the freeradius::v3::conf class:

cleanup_delay

Data type: Integer[2,10]

Default value: 5

correct_escapes

Data type: Boolean

Default value: true

default_acct_listener

Data type: Boolean

Default value: true

hostname_lookups

Data type: Boolean

Default value: false

localstatedir

Data type: Stdlib::AbsolutePath

Default value: '/var'

max_request_time

Data type: Integer[2,120]

Default value: 30

max_requests

Data type: Integer[256]

Default value: 1024

radius_ports

Data type: Array[Simplib::Port]

The ports where freeradius will listen

Default value: [1812, 1813]

trusted_nets

Data type: Simplib::Netlist

Networks and/or hosts that are allowed to access the RADIUS server

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1']})

protocol

Data type: Enum['udp','tcp','ALL']

What protocols will be used to make sure the firewall is opened correctly

Default value: 'ALL'

clients_conf_content

Data type: Optional[String]

Content for the clients.conf file if not creating clients individually

Default value: undef

proxy_conf_content

Data type: Optional[String]

If $proxy_request is true, use this content for the proxy.conf file

Default value: undef

trigger_conf_content

Data type: Optional[String]

This content for the trigger.conf file

Default value: undef

users_conf_content

Data type: Optional[String]

The content for the authorize file

Default value: undef

freeradius::v3::conf::instantiate

in a file under conf.d.

This section is included by the directive $INCLUDE conf.d/ in the radiusd.conf file.

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::instantiate class:

content

Data type: Optional[String]

The literal content of the section that you would like to add. Leading and trailing spaces will be removed.

Default value: undef

freeradius::v3::conf::log

Add a 'log' section to freeradius

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::log class:

destination

Data type: Freeradius::Logdest

Default value: 'syslog'

log_file

Data type: Stdlib::AbsolutePath

Default value: "${freeradius::logdir}/radius.log"

syslog_facility

Data type: Simplib::Syslog::Facility

Default value: 'local6'

stripped_names

Data type: Boolean

Default value: false

auth

Data type: Boolean

Default value: true

auth_badpass

Data type: Boolean

Default value: false

auth_goodpass

Data type: Boolean

Default value: false

msg_goodpass

Data type: Optional[String]

Default value: undef

msg_badpass

Data type: Optional[String]

Default value: undef

msg_denied

Data type: Optional[String]

Default value: undef

freeradius::v3::conf::security

Add a 'security' section to freeradius.

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::security class:

max_attributes

Data type: Integer

Default value: 200

reject_delay

Data type: Integer[1,5]

Default value: 1

status_server

Data type: Boolean

Default value: true

allow_core_dumps

Data type: Boolean

Default value: false

chroot

Data type: Boolean

whether or not to run radiusd in a chroot

Default value: false

chroot_path

Data type: Optional[Stdlib::Absolutepath]

directory where the server does "chroot"

Default value: undef

chroot_user

Data type: Optional[String]

User to run daemon as,must be defined if using a chroot

Default value: undef

chroot_group

Data type: Optional[String]

Group to run daemon as.

Default value: undef

freeradius::v3::conf::thread_pool

Add a 'thread pool' section to the freeradius configuration

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::conf::thread_pool class:

start_servers

Data type: Integer

Default value: 5

max_servers

Data type: Integer

Default value: 32

min_spare_servers

Data type: Integer

Default value: 3

max_spare_servers

Data type: Integer

Default value: 10

max_requests_per_server

Data type: Integer

Default value: 0

max_queue_size

Data type: Optional[Integer]

Default value: undef

auto_limit_acct

Data type: Boolean

Default value: false

freeradius::v3::conf::users

Set up the freeradius users entries

freeradius::v3::modules::ldap

Set up the LDAP module configuration.

Parameters

The following parameters are available in the freeradius::v3::modules::ldap class:

base_dn

Data type: String

Default value: simplib::lookup('simp_options::ldap::base_dn')

app_pki_key

Data type: Stdlib::AbsolutePath

Path and name of the private SSL key file

Default value: $freeradius::app_pki_key

app_pki_cert

Data type: Stdlib::AbsolutePath

Path and name of the public SSL certificate

Default value: $freeradius::app_pki_cert

app_pki_ca_dir

Data type: Stdlib::AbsolutePath

Path to the CA.

Default value: $freeradius::app_pki_ca_dir

confdir

Data type: Stdlib::Absolutepath

Freeradius configuration directory

Default value: $freeradius::confdir

group

Data type: String

Group radiusd is running under.

Default value: $freeradius::group

base_filter

Data type: String

Default value: '(objectclass=radiusprofile)'

client_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

client_filter

Data type: String

Default value: '(objectClass=frClient)'

client_attribute_identifier

Data type: String

Default value: 'radiusClientIdentifier'

client_attribute_secret

Data type: String

Default value: 'radiusClientSecret'

client_attribute_shortname

Data type: Optional[String]

Default value: undef

client_attribute_nas_type

Data type: Optional[String]

Default value: undef

client_attribute_virtual_server

Data type: Optional[String]

Default value: undef

client_attribute_require_message_authenticator

Data type: Optional[String]

Default value: undef

default_profile

Data type: Optional[String]

Default value: undef

group_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

group_filter

Data type: String

Default value: '(objectClass=posixGroup)'

group_name_attribute

Data type: String

Default value: 'cn'

group_membership_filter

Data type: String

Default value: '(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))'

group_membership_attribute

Data type: String

If this does not contain a value then Group Membership Checking will not be enabled.

Default value: 'memberOf'

group_cacheable_name

Data type: Boolean

Default value: false

group_cacheable_dn

Data type: Boolean

Default value: false

identity

Data type: String

Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => "cn=hostAuth,ou=Hosts,%{lookup('simp_options::ldap::base_dn')}", 'value_type' => String })

ldap_connections_number

Data type: Integer[1]

Default value: 5

ldap_debug

Data type: Optional[String]

Default value: undef

ldap_timeout

Data type: Integer

Default value: 4

ldap_timelimit

Data type: Integer

Default value: 3

options_chase_referrals

Data type: Boolean

Default value: false

options_dereference

Data type: Freeradius::Deref

Default value: 'never'

options_idle

Data type: Integer

Default value: 60

options_interval

Data type: Integer

Default value: 3

options_net_timeout

Data type: Integer

Default value: 1

options_probes

Data type: Integer

Default value: 3

options_rebind

Data type: Boolean

Default value: false

password

Data type: String

Default value: simplib::lookup('simp_options::ldap::bind_pw')

pool_start

Data type: Integer[1]

Default value: 5

pool_min

Data type: Integer[1]

Default value: 4

pool_max

Data type: Integer[1]

Default value: 10

pool_spare

Data type: Integer[1]

Default value: 3

pool_uses

Data type: Integer[0]

Default value: 0

pool_lifetime

Data type: Integer[0]

Default value: 0

pool_idle_timeout

Data type: Integer[1]

Default value: 60

port

Data type: Simplib::Port

Default value: 389

profile_attribute

Data type: Optional[String]

Default value: undef

random_file

Data type: Stdlib::AbsolutePath

Default value: '/dev/urandom'

require_cert

Data type: String

Default value: 'demand'

retry_delay

Data type: Integer[1]

Default value: 30

start_tls

Data type: Boolean

Default value: true

user_filter

Data type: String

Default value: '(uid=%{%{Stripped-User-Name}:-%{User-Name}})'

user_access_attribute

Data type: Optional[String]

Default value: undef

user_access_positive

Data type: Boolean

Default value: true

user_scope

Data type: Optional[Freeradius::Scope]

Default value: undef

server

Data type: Array[Simplib::Uri]

Default value: simplib::lookup('simp_options::ldap::uri')

post_auth_content

Data type: Optional[String]

Override the contents of the post-auth section of the configuration

  • Do NOT include the post-auth header or beginning or end curly brace

Default value: undef

accounting_content

Data type: Optional[String]

Override the contents of the accounting section of the configuration

  • Do NOT include the accounting header or beginning or end curly brace

Default value: undef

content

Data type: Optional[String]

Specify the entire contents of the configuration file

  • All other options will be ignored

Default value: undef

freeradius::v3::sites::ldap

on the interface defined by listen_ip

The Default is to listen on all interfaces.

  • See also
    • /etc/raddb/sites-available/default
      • for more information on sites

Parameters

The following parameters are available in the freeradius::v3::sites::ldap class:

site_name

Data type: String

The name of the site

Default value: 'default'

enable

Data type: Boolean

Whether to enable the site or not

Default value: true

confdir

Data type: Stdlib::Absolutepath

Configuration directory for freeradius

Default value: $freeradius::confdir

include_listener

Data type: Boolean

If set to true then 'listen' sections will be set up for the site. Otherwise the listen_ip will be ignored and the user will be required to set up a listener using the listener.pp module.

Default value: true

group

Data type: String

Group radiusd runs under.

Default value: $freeradius::group

listen_ip

Data type: Simplib::Host

The ip addresses to listen on. See setting ipaddr in sites-enabled/default.

Default value: 'ALL'

max_connections

Data type: Integer

Default value: 16

lifetime

Data type: Integer

Default value: 0

idle_timeout

Data type: Integer

Default value: 30

Defined types

freeradius::v3::client

Add a client to /etc/raddb/clients.d/

  • See also
    • clients.conf(5)
      • for additional information.

Parameters

The following parameters are available in the freeradius::v3::client defined type:

secret

Data type: String

If you do not specify a secret, then one will be created for you using $name as the id.

Default value: simplib::passgen("freeradius_${name}")

ipaddr

Data type:

Variant[Simplib::IP,
          Simplib::IP::CIDR]

If set to something with a ':' in it, will be treated as ipv6addr instead.

client_name

Data type: String

Default value: $name

coa_server

Data type: Optional[String]

Default value: undef

idle_timeout

Data type: Integer

Default value: 30

lifetime

Data type: Integer

Default value: 0

login

Data type: Optional[String]

Default value: undef

max_connections

Data type: Integer

Default value: 16

nas_type

Data type: Optional[Freeradius::Nas]

Default value: undef

password

Data type: Optional[String]

Default value: undef

proto

Data type: Optional[Enum['udp','tcp','*']]

Default value: undef

require_message_authenticator

Data type: Boolean

Default value: true

response_window

Data type: Optional[Float[0.0]]

Default value: undef

shortname

Data type: Optional[String]

Default value: undef

virtual_server

Data type: Optional[String]

Default value: undef

freeradius::v3::conf::user

'freeradius::v3::conf::users` module.

This module should not be used if freeradius::v3::conf::user_conf_source is set in hiera. That setting will copy (what is expected to be) a complete users file into place that you have defined.

  • See also
    • users(5)
      • for additional details on user entries.

Examples

Adding the normal defaults for PPP
freeradius::v3::conf::user { 'default_ppp':
  is_default => true,
  order => '500',
  content => '
   Framed-Protocol == PPP
   Framed-Protocol = PPP,
   Framed-Compression = Van-Jacobson-TCP-IP'
}
Adding a disabled user
freeradius::v3::conf::user { 'lameuser':
 order => '0',
 content => '
  Auth-Type := Reject
  Reply-Message = "Your account has been disabled."'
}

Parameters

The following parameters are available in the freeradius::v3::conf::user defined type:

name

The name of the user. If $is_default is set to true, this will be treated as a DEFAULT user entry and the name will be used for uniqueness. It is recommended to use something like 'default_ppp', 'default_slip', etc... for these entries.

content

Data type: String

The actual content of the entry per users(5). The $name will be used as the left hand initial value unless $is_default = true. All other portions must be properly included, starting with the initial comparison or assignment.

  • Leading whitespace is ignored.
is_default

Data type: Boolean

Whether or not the entry is for a DEFAULT user entry.

Default value: false

order

Data type: Integer[1]

An ordering number for including the entries in the file. This does not have to be numeric, but you may end up with strange results if it is not. The default is alphabetic.

Default value: 100

confdir

Data type: Stdlib::Absolutepath

The configuration directory for radiusd.

  • Generally, you will want default entries at the end of the file, but this is not strictly enforced. You have been warned!

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

freeradius::v3::listen

The following parameters are all configuration parameters.

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::listen defined type:

target

Data type: Stdlib::Absolutepath

The concat target to add this section to

listen_type

Data type: Freeradius::Listen

order

Data type: Integer[1]

Indicates the order for this element amoung the concat fragments.

Default value: 100

idle_timeout

Data type: Optional[Integer]

Default value: undef

interface

Data type: Optional[String]

Default value: undef

ipaddr

Data type: Simplib::Host

Be careful not to use the same IP address on more than one listener

Default value: 'ALL'

lifetime

Data type: Optional[Integer]

Default value: undef

max_connections

Data type: Optional[Integer]

Default value: undef

max_pps

Data type: Optional[Integer]

Default value: undef

per_socket_clients

Data type: Optional[String]

Default value: undef

port

Data type: Optional[Simplib::Port]

Default value: undef

freeradius::v3::listener

The following parameters are all configuration parameters.

  • See also
    • For
      • detailed information on the parameters, extract the original /etc/raddb/radiusd.conf from the freeradius rpm using rpm2cpio < free radius rpm> | cpio -idmv

Parameters

The following parameters are available in the freeradius::v3::listener defined type:

listen_type

Data type: Freeradius::Listen

order

Data type: Integer[1]

Indicates the order for this element amoung the concat fragments.

Default value: 100

confdir

Data type: Stdlib::Absolutepath

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

idle_timeout

Data type: Optional[Integer]

Default value: undef

interface

Data type: Optional[String]

Default value: undef

ipaddr

Data type: Simplib::Host

Be careful not to use the same ip address in more than one listener

Default value: 'ALL'

lifetime

Data type: Optional[Integer]

Default value: undef

max_connections

Data type: Optional[Integer]

Default value: undef

max_pps

Data type: Optional[Integer]

Default value: undef

per_socket_clients

Data type: Optional[String]

Default value: undef

port

Data type: Optional[Simplib::Port]

Default value: undef

freeradius::v3::module

and if it is enabled, links it to the mods-enabled directory.

If neither content or source is defined and ft it enabled then it will just create a link.

  • See also
    • mods-available
      • for further documentation on modules.

Parameters

The following parameters are available in the freeradius::v3::module defined type:

enabled

Data type: Boolean

If true a link will be created in mods-enabled to enable the site.

Default value: false

content

Data type: Optional[String]

The actual content of the module. Only one of content or source can be used.

Default value: undef

source

Data type: Optional[String]

The source file of the module definition. Only one of content or source can be used.

Default value: undef

confdir

Data type: Stdlib::Absolutepath

The configuration directory

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

The group radiusd will run under

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

freeradius::v3::site

if it is enabled, links it to the sites-enabled directory.

Note: If freeradius::manage_sites is enabled any site not defined in puppet will be purged.

If neither content or source is defined and it is enabled then it will just create a link.

  • See also
    • site
      • definitions in sites-available for further documentation on sites.

Parameters

The following parameters are available in the freeradius::v3::site defined type:

enabled

Data type: Boolean

If true a link will be created in sites-enabled to enable the site.

Default value: false

content

Data type: Optional[String]

The actual content of the entry per. Only one of content or source can be used.

Default value: undef

source

Data type: Optional[String]

The source file of the site definition. Only one of content or source can be used.

Default value: undef

confdir

Data type: Stdlib::Absolutepath

The configuration directory

Default value: simplib::lookup( 'freeradius::confdir', {'default_value' => '/etc/raddb'} )

group

Data type: String

The group radiusd will run under

Default value: simplib::lookup( 'freeradius::group', {'default_value' => 'radiusd'} )

Data types

Freeradius::Deref

Control under which situations aliases are followed

Alias of Enum['never', 'searching', 'finding', 'always']

Freeradius::Listen

Types of packets to listen for

Alias of Enum['auth', 'acct', 'proxy', 'detail', 'status', 'coa']

Freeradius::Logdest

Destination for log messages

Alias of Enum['files', 'syslog', 'stdout', 'stderr']

Freeradius::Nas

NAS-specific method to use when checking for simultaneous use

Alias of Enum['cisco', 'computone', 'livingston', 'max40xx', 'multitech', 'netserver', 'pathras', 'patton', 'portslave', 'tc', 'usrhiper', 'other']

Freeradius::Scope

LDAP search scope

Alias of Enum['base', 'one', 'sub', 'children']