From b016f668708100169cd2b23f1f05be62b1ae823c Mon Sep 17 00:00:00 2001
From: Adam Henry Lewenberg <adamhl@stanford.edu>
Date: Mon, 14 Sep 2015 13:00:57 -0700
Subject: [PATCH] kerberos: add parameters for TCP preference and kerberos
environments
Add two new parameters. The first is to add a line to the krb5.conf file
indicating that we prefer TCP. The other is a parameter stating which
kerberos environment we want: prod, test, or uat.
---
manifests/kerberos.pp | 45 +++++++++++++++++++++++++++++---
templates/kerberos/krb5.conf.erb | 31 ++++++++++++++++++++--
2 files changed, 70 insertions(+), 6 deletions(-)
diff --git a/manifests/kerberos.pp b/manifests/kerberos.pp
index 44dd729..c41dfa0 100644
--- a/manifests/kerberos.pp
+++ b/manifests/kerberos.pp
@@ -1,7 +1,42 @@
-# Set up basic Kerberos configuration and allow logins via Kerberos rlogin and
+,# Set up basic Kerberos configuration and allow logins via Kerberos rlogin and
# company.
+#
+# **********************************************************************
+# NOTE: If you wish to override the file /etc/krb.conf in your own class,
+# and you are using the "source" parameter, be sure to undefine the
+# "content" parameter or you will get an error. Example:
+#
+# class s_myclass {
+# include base::kerberos
+#
+# File['/etc/krb5.conf'] {
+# source => 'puppet:///modules/s_accounts/etc/krb5.conf',
+# content => undef,
+# }
+# }
+# **********************************************************************
+#
+#
+# $krb_env: Which kerberos environment to use. Must be one of:
+# 'prod', 'uat', or 'test'.
+# Default: 'prod'
+#
+# $prefer_tcp: Normal kerberos traffic uses UDP, but some applications
+# (lookin' at you Java!) work better with TCP. Set this parameter to
+# "true" to force the client to prefer TCP to UDP.
+# Default: false
+
+class base::kerberos(
+ $prefer_tcp = false,
+ $krb_env = 'prod',
+){
+
+ # We only allow the 'prod', 'uat', and 'test' environments.
+ case $krb_env {
+ 'prod', 'uat', 'test': {}
+ default: { fail("unrecognized kerberos environment '${krb_env}'") }
+ }
-class base::kerberos {
case $::osfamily {
'RedHat': {
package { 'krb5-workstation': ensure => present }
@@ -12,7 +47,7 @@ class base::kerberos {
# parameterized class that says what type of Kerberos to install.
}
default: {
- err("unsupported OS $::operatingsystem")
+ fail("unsupported OS ${::operatingsystem}")
}
}
@@ -20,7 +55,9 @@ class base::kerberos {
if ( ip_in_cidr($::ipaddress, '204.63.224.0/21')
or ip_in_cidr($::ipaddress, '172.20.224.0/21')
) {
- $drSite = 'yes'
+ $drSite = true
+ } else {
+ $drSite = false
}
# Basic Kerberos configuration.
diff --git a/templates/kerberos/krb5.conf.erb b/templates/kerberos/krb5.conf.erb
index 12513f2..b3781fc 100644
--- a/templates/kerberos/krb5.conf.erb
+++ b/templates/kerberos/krb5.conf.erb
@@ -50,16 +50,43 @@
forwardable = true
noaddresses = true
allow_weak_crypto = true
+<% if (@prefer_tcp) then -%>
+ udp_preference_limit = 1
+<% end -%>
[realms]
stanford.edu = {
-<% if @drSite == "yes" %> kdc = kerberos-liv.stanford.edu:88
-<% end %> kdc = krb5auth1.stanford.edu:88
+<%
+if (@krb_env == 'uat') then
+-%>
+ kdc = kerberos-uat.stanford.edu:88
+ master_kdc = kerberos-uat.stanford.edu:88
+ admin_server = kerberos-uat.stanford.edu
+ kpasswd_server = kerberos-uat.stanford.edu
+<%
+elsif (@krb_env == 'test') then
+-%>
+ kdc = kerberos-test.stanford.edu:88
+ master_kdc = kerberos-test.stanford.edu:88
+ admin_server = kerberos-test.stanford.edu
+ kpasswd_server = kerberos-test.stanford.edu
+<%
+else
+ if (@drSite) then
+-%>
+ kdc = kerberos-liv.stanford.edu:88
+<%
+ end
+-%>
+ kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
kpasswd_server = krb5-admin.stanford.edu
+<%
+end
+-%>
default_domain = stanford.edu
kadmind_port = 749
}
--
GitLab