add kerberos rdns option

6ff95828 · Adam Lewenberg · 69c28d0d · 6ff95828 · 6ff95828 · 6ff95828
Commit 6ff95828 authored 8 years ago by Adam Lewenberg
--- a/NEWS
+++ b/NEWS
+release/005.005 (unreleased)
+
+    [kerberos] Add the option rdns_enabled so that Kerberos can be
+    configured not to require clients to do a reverse DNS lookup on the
+    hostname of a service principal. The default is set to true, so
+    unless specifically overridden to false Kerberos
+    clients will behave as they always have. [adamhl]
+
 release/005.004 (2017-01-09)

    [os] Change the exec resource in the 'aptitude' staged

--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -25,10 +25,17 @@
 #   (lookin' at you Java!) work better with TCP. Set this parameter to
 #   "true" to force the client to prefer TCP to UDP.
 #   Default: false
-
+#
+# $rdns_enabled: if 'true' have the Kerberos client do a reverse DNS
+# lookup on the hostname when connecting to a server. This should be set
+# to 'false' if you want the client to be able to connect to services where
+# the service name's IP address PTR record may not match the hostname
+# (e.g., for services running in Amazon Web Services).
+#   Default: true
 class base::kerberos(
-  $prefer_tcp = false,
-  $krb_env    = 'prod',
+  $prefer_tcp   = false,
+  $krb_env      = 'prod',
+  $rdns_enabled = true,
 ){

  # We only allow the 'prod', 'uat', and 'test' environments.

--- a/templates/kerberos/krb5.conf.erb
+++ b/templates/kerberos/krb5.conf.erb
@@ -50,6 +50,11 @@
    forwardable           = true
    noaddresses           = true
    allow_weak_crypto     = true
+<%- if (@rdns_enabled) then -%>
+    rdns                  = true
+<%- else -%>
+    rdns                  = false
+<%- end -%>
 <% if (@prefer_tcp) then -%>
    udp_preference_limit  = 1
 <% end -%>