From 246816f417f6d2740f1a6ed248825e9e1dea5891 Mon Sep 17 00:00:00 2001
From: Ossi Salmi <osalmi@iki.fi>
Date: Thu, 13 Jun 2013 12:28:38 +0300
Subject: [PATCH] ntpd: Added option to disable strict ACLs for isc-ntpd

---
 ntpd/manifests/init.pp      |  9 +++++++++
 ntpd/templates/ntp.conf.erb | 13 +++++++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/ntpd/manifests/init.pp b/ntpd/manifests/init.pp
index 8aeee0a..a3a89d6 100644
--- a/ntpd/manifests/init.pp
+++ b/ntpd/manifests/init.pp
@@ -6,6 +6,11 @@
 #       Array of NTP servers using [] will disable external servers.
 #       Defaults to pool.ntp.org.
 #
+#   $ntp_strict:
+#       When set to "false", permit time synchronization by default. Required
+#       for pool.ntp.org or similar server names which have multiple addresses.
+#       Defaults to "true".
+#
 #   $ntp_client_networks:
 #       Array of networks that are allowed to query this server in format
 #       [ "192.168.1.0/255.255.255.0", "192.168.2.0/255.255.255.0", ] or
@@ -17,6 +22,10 @@ class ntpd {
         $ntp_server = ["pool.ntp.org"]
     }
 
+    if !$ntp_strict {
+        $ntp_strict = "true"
+    }
+
     case $::operatingsystem {
         "fedora": {
             case $::operatingsystemrelease {
diff --git a/ntpd/templates/ntp.conf.erb b/ntpd/templates/ntp.conf.erb
index 0be9cbf..b4d2fec 100644
--- a/ntpd/templates/ntp.conf.erb
+++ b/ntpd/templates/ntp.conf.erb
@@ -3,13 +3,20 @@
 tinker panic 0
 
 <% end -%>
+<% if @ntp_strict == "true" -%>
 # By default deny everything.
 restrict -4 default ignore
 restrict -6 default ignore
+<% else -%>
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+restrict -4 default nomodify notrap nopeer noquery
+restrict -6 default nomodify notrap nopeer noquery
+<% end -%>
 
 # Local users may interrogate the ntp server more closely.
-restrict 127.0.0.1
-restrict ::1
+restrict 127.0.0.1 nomodify
+restrict ::1 nomodify
 
 # Drift file.
 driftfile /var/lib/ntp/ntp.drift
@@ -17,7 +24,9 @@ driftfile /var/lib/ntp/ntp.drift
 # Remote servers.
 <% @ntp_server.each do |server| -%>
 server <%= server %>
+<%   if @ntp_strict == "true" -%>
 restrict <%= server %> nomodify notrap nopeer noquery
+<%   end -%>
 <% end -%>
 <% if @is_virtual == "false" -%>