Make FreeRADIUS 3.0.21 the target version for config

README.md

@@ -46,7 +46,7 @@
 
 This module installs and configures [FreeRADIUS](http://freeradius.org/) server
 on Linux. It supports FreeRADIUS 3.x only. It was designed with CentOS in mind
-but should work on other distributions. 
+but should work on other distributions.
 
 This module requires Puppet 4.0.0 or greater. Puppet 3.x was
 [discontinued](https://puppet.com/misc/puppet-enterprise-lifecycle) at
@@ -444,7 +444,7 @@ be "acct", or they all have to be "auth+acct".
 The type of this pool controls how home servers are chosen.
 
 * `fail-over` the request is sent to the first live home server in the list.  i.e. If the first home server is marked "dead", the second one is chosen, etc.
-* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network. 
+* `load-balance` the least busy home server is chosen For non-EAP auth methods, and for acct packets, we recommend using "load-balance". It will ensure the highest availability for your network.
 * `client-balance` the home server is chosen by hashing the source IP address of the packet. This configuration is most useful to do simple load balancing for EAP sessions
 * `client-port-balance` the home server is chosen by hashing the source IP address and source port of the packet.
 * `keyed-balance` the home server is chosen by hashing (FNV) the contents of the Load-Balance-Key attribute from the control items.
@@ -634,9 +634,11 @@ With `chase_referrals` control whether the server follows references returned by
 
 ##### `use_referral_credentials`
 On rebind, use the credentials from the rebind url instead of admin credentials. Default: `no`.
+This parameter should only be set when using FreeRADIUS 3.1.x.
 
 ##### `session_tracking`
 If `yes`, then include draft-wahl-ldap-session tracking controls. Default: `undef`.
+This parameter should only be set when using FreeRADIUS 3.1.x.
 
 ##### `uses`
 How many times the connection can be used before being re-established. This is useful for things
@@ -653,6 +655,7 @@ Idle timeout (in seconds). A connection which is unused for this length of time
 
 ##### `connect_timeout`
 Connection timeout (in seconds). The maximum amount of time to wait for a new connection to be established. Default: `3.0`.
+This parameter should only be set when using FreeRADIUS 3.1.x.
 
 ##### `idle`
 Sets the idle time before keepalive probes are sent. Default `60`
@@ -1415,7 +1418,7 @@ Default: `radius`. Name of the database. Normally you should leave this alone. I
 
 ##### `num_sql_socks`
 
-Default: same as `max_servers`. Number of sql connections to make to the database server. 
+Default: same as `max_servers`. Number of sql connections to make to the database server.
 Setting this to LESS than the number of threads means that some threads may starve, and
 you will see errors like "No connections available and at max connection limit". Setting
 this to MORE than the number of threads means that there are more connections than necessary.
@@ -1536,6 +1539,7 @@ be closed. Default: 60.
 
 Connection timeout (in seconds). The maximum amount of time to wait for a new
 connection to be established. Default: '3.0'.
+This parameter should only be set when using FreeRADIUS 3.1.x.
 
 #### `freeradius::statusclient`
 

manifests/init.pp

@@ -28,6 +28,16 @@
     notify { 'This module is only compatible with FreeRADIUS 3.': }
   }
 
+  # Guess if we are running FreeRADIUS 3.1.x
+  if (
+    ($package_ensure =~ /^3\.1\./) or
+    ($facts['freeradius_version'] and $facts['freeradius_version'] =~ /^3\.1\./)
+  ) {
+    $fr_3_1 = true
+  } else {
+    $fr_3_1 = false
+  }
+
   validate_re($log_destination, '^(files|syslog|stdout|stderr)$',
     "log_destination value (${log_destination}) is not a valid value")
 

manifests/module/ldap.pp

@@ -38,7 +38,7 @@
   Optional[Enum['never','searching','finding','always']] $dereference = undef,
   Freeradius::Boolean $chase_referrals                                = 'yes',
   Freeradius::Boolean $rebind                                         = 'yes',
-  Freeradius::Boolean $use_referral_credentials                       = 'no',
+  Optional[Freeradius::Boolean] $use_referral_credentials             = undef,
   Optional[Freeradius::Boolean] $session_tracking                     = undef,
   Integer $timeout                                                    = 10,
   Integer $timelimit                                                  = 3,
@@ -61,7 +61,7 @@
   Integer $retry_delay                                                = 30,
   Integer $lifetime                                                   = 0,
   Integer $idle_timeout                                               = 60,
-  Float $connect_timeout                                              = 3.0,
+  Optional[Float] $connect_timeout                                    = undef,
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service
@@ -79,6 +79,79 @@
     default   => $server,
   }
 
+  # Warn if the user tries to set a FreeRADIUS 3.1.x specific parameter, and
+  # we detect that they are not on (or not installing) a FreeRADIUS 3.1.x
+  # then show them some errors
+  # Additionally, if we are on FreeRADIUS 3.1.x then allow defaults for some
+  # parameters, otherwise leave them set as specified when this define
+  # is called.
+  if $::freeradius::fr_3_1 {
+    if $connect_timeout != undef {
+      warning(@("WARN"/L)
+        The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
+        experimental branch. You are running `${facts['freeradius_version']}`. \
+        In the future, attempting to set it on this version may fail.
+        |-WARN
+      )
+    }
+
+    if $session_tracking != undef {
+      warning(@("WARN"/L)
+        The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
+        experimental branch. You are running `${facts['freeradius_version']}`. \
+        In the future, attempting to set it on this version may fail.
+        |-WARN
+      )
+    }
+
+    if $use_referral_credentials != undef {
+      warning(@("WARN"/L)
+        The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
+        i.e. the experimental branch. You are running \
+        `${facts['freeradius_version']}`. In the future, attempting to set \
+        it on this version may fail.
+        |-WARN
+      )
+    }
+
+    $resolved_connect_timeout = $connect_timeout ? {
+      undef   => 3.0,
+      default => $connect_timeout,
+    }
+
+    $resolved_session_tracking = $session_tracking
+
+    $resolved_use_referral_credentials = $use_referral_credentials ? {
+      undef   => 'no',
+      default => $use_referral_credentials,
+    }
+  } else {
+    if $connect_timeout != undef {
+      fail(@("FAIL"/L)
+        The `connect_timeout` parameter requires FreeRADIUS 3.1.x, i.e. the \
+        experimental branch. You are running `${facts['freeradius_version']}`.
+        |-FAIL
+      )
+    }
+
+    if $session_tracking != undef {
+      fail(@("FAIL"/L)
+        The `session_tracking` parameter requires FreeRADIUS 3.1.x, i.e. the \
+        experimental branch. You are running `${facts['freeradius_version']}`.
+        |-FAIL
+      )
+    }
+
+    if $use_referral_credentials != undef {
+      fail(@("FAIL"/L)
+        The `use_referral_credentials` parameter requires FreeRADIUS 3.1.x, \
+        i.e. the experimental branch. You are running \
+        `${facts['freeradius_version']}`.
+        |-FAIL
+      )
+    }
+  }
+
   # Generate a module config, based on ldap.conf
   file { "${fr_basepath}/mods-available/${name}":
     ensure  => $ensure,

manifests/sql.pp

@@ -31,7 +31,7 @@
   Optional[Integer] $pool_min                    = 1,
   Optional[Integer] $pool_spare                  = 1,
   Optional[Integer] $pool_idle_timeout           = 60,
-  Optional[Float] $pool_connect_timeout          = 3.0,
+  Optional[Float] $pool_connect_timeout          = undef,
 ) {
   $fr_package          = $::freeradius::params::fr_package
   $fr_service          = $::freeradius::params::fr_service
@@ -52,6 +52,40 @@
     fail('$num_sql_socks must be an integer')
   }
 
+  # Warn if the user tries to set a FreeRADIUS 3.1.x specific parameter, and
+  # we detect that they are not on (or not installing) a FreeRADIUS 3.1.x
+  # then show them some errors
+  # Additionally, if we are on FreeRADIUS 3.1.x then allow defaults for some
+  # parameters, otherwise leave them set as specified when this define
+  # is called.
+  if $::freeradius::fr_3_1 {
+    if $pool_connect_timeout != undef {
+      warning(@("WARN"/L)
+        The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x, \
+        i.e. the experimental branch. You are running \
+        `${facts['freeradius_version']}`. In the future, attempting to set \
+        it on this version may fail.
+        |-WARN
+      )
+    }
+
+    $resolved_pool_connect_timeout = $pool_connect_timeout ? {
+      undef   => 3.0,
+      default => $pool_connect_timeout,
+    }
+
+  } else {
+    if $pool_connect_timeout != undef {
+      fail(@("FAIL"/L)
+        The `pool_connect_timeout` parameter requires FreeRADIUS 3.1.x, \
+        i.e. the experimental branch. You are running \
+        `${facts['freeradius_version']}`.
+        |-FAIL
+      )
+    }
+  }
+
+
   # Determine default location of query file
   $queryfile = "${fr_basepath}/sql/queries.conf"
 

spec/defines/krb5_spec.rb

@@ -14,7 +14,8 @@
 
   it do
     is_expected.to contain_file('/etc/raddb/mods-available/test')
-      .with_content(%r{^krb5 test \{\n\s+keytab = test_keytab\n\s+service_principal = test_principal\n})
+      .with_content(%r{^\s+keytab = test_keytab$})
+      .with_content(%r{^\s+service_principal = test_principal$})
       .with_ensure('present')
       .with_group('radiusd')
       .with_mode('0640')