Commit b016f668 authored by Adam Lewenberg's avatar Adam Lewenberg

kerberos: add parameters for TCP preference and kerberos environments

Add two new parameters. The first is to add a line to the krb5.conf file
indicating that we prefer TCP. The other is a parameter stating which
kerberos environment we want: prod, test, or uat.
parent 5d9b73fa
# Set up basic Kerberos configuration and allow logins via Kerberos rlogin and
,# Set up basic Kerberos configuration and allow logins via Kerberos rlogin and
# company.
#
# **********************************************************************
# NOTE: If you wish to override the file /etc/krb.conf in your own class,
# and you are using the "source" parameter, be sure to undefine the
# "content" parameter or you will get an error. Example:
#
# class s_myclass {
# include base::kerberos
#
# File['/etc/krb5.conf'] {
# source => 'puppet:///modules/s_accounts/etc/krb5.conf',
# content => undef,
# }
# }
# **********************************************************************
#
#
# $krb_env: Which kerberos environment to use. Must be one of:
# 'prod', 'uat', or 'test'.
# Default: 'prod'
#
# $prefer_tcp: Normal kerberos traffic uses UDP, but some applications
# (lookin' at you Java!) work better with TCP. Set this parameter to
# "true" to force the client to prefer TCP to UDP.
# Default: false
class base::kerberos(
$prefer_tcp = false,
$krb_env = 'prod',
){
# We only allow the 'prod', 'uat', and 'test' environments.
case $krb_env {
'prod', 'uat', 'test': {}
default: { fail("unrecognized kerberos environment '${krb_env}'") }
}
class base::kerberos {
case $::osfamily {
'RedHat': {
package { 'krb5-workstation': ensure => present }
......@@ -12,7 +47,7 @@ class base::kerberos {
# parameterized class that says what type of Kerberos to install.
}
default: {
err("unsupported OS $::operatingsystem")
fail("unsupported OS ${::operatingsystem}")
}
}
......@@ -20,7 +55,9 @@ class base::kerberos {
if ( ip_in_cidr($::ipaddress, '204.63.224.0/21')
or ip_in_cidr($::ipaddress, '172.20.224.0/21')
) {
$drSite = 'yes'
$drSite = true
} else {
$drSite = false
}
# Basic Kerberos configuration.
......
......@@ -50,16 +50,43 @@
forwardable = true
noaddresses = true
allow_weak_crypto = true
<% if (@prefer_tcp) then -%>
udp_preference_limit = 1
<% end -%>
[realms]
stanford.edu = {
<% if @drSite == "yes" %> kdc = kerberos-liv.stanford.edu:88
<% end %> kdc = krb5auth1.stanford.edu:88
<%
if (@krb_env == 'uat') then
-%>
kdc = kerberos-uat.stanford.edu:88
master_kdc = kerberos-uat.stanford.edu:88
admin_server = kerberos-uat.stanford.edu
kpasswd_server = kerberos-uat.stanford.edu
<%
elsif (@krb_env == 'test') then
-%>
kdc = kerberos-test.stanford.edu:88
master_kdc = kerberos-test.stanford.edu:88
admin_server = kerberos-test.stanford.edu
kpasswd_server = kerberos-test.stanford.edu
<%
else
if (@drSite) then
-%>
kdc = kerberos-liv.stanford.edu:88
<%
end
-%>
kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
kpasswd_server = krb5-admin.stanford.edu
<%
end
-%>
default_domain = stanford.edu
kadmind_port = 749
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment