diff options
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/https.py | 5 | ||||
| -rwxr-xr-x | src/conf_mode/system-login.py | 27 |
2 files changed, 18 insertions, 14 deletions
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 010490c7e..028a5007a 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -215,14 +215,9 @@ def generate(https): api_data = vyos.defaults.api_data api_settings = https.get('api', {}) if api_settings: - port = api_settings.get('port', '') - if port: - api_data['port'] = port vhosts = https.get('api-restrict', {}).get('virtual-host', []) if vhosts: api_data['vhost'] = vhosts[:] - if 'socket' in list(api_settings): - api_data['socket'] = True if api_data: vhost_list = api_data.get('vhost', []) diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index 02c97afaa..87a269499 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -104,6 +104,9 @@ def get_config(config=None): # prune TACACS global defaults if not set by user if login.from_defaults(['tacacs']): del login['tacacs'] + # same for RADIUS + if login.from_defaults(['radius']): + del login['radius'] # create a list of all users, cli and users all_users = list(set(local_users + cli_users)) @@ -377,17 +380,23 @@ def apply(login): except Exception as e: raise ConfigError(f'Deleting user "{user}" raised exception: {e}') - # Enable RADIUS in PAM configuration - pam_cmd = '--remove' + # Enable/disable RADIUS in PAM configuration + cmd('pam-auth-update --disable radius-mandatory radius-optional') if 'radius' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} radius') - - # Enable/Disable TACACS in PAM configuration - pam_cmd = '--remove' + if login['radius'].get('security_mode', '') == 'mandatory': + pam_profile = 'radius-mandatory' + else: + pam_profile = 'radius-optional' + cmd(f'pam-auth-update --enable {pam_profile}') + + # Enable/disable TACACS+ in PAM configuration + cmd('pam-auth-update --disable tacplus-mandatory tacplus-optional') if 'tacacs' in login: - pam_cmd = '--enable' - cmd(f'pam-auth-update --package {pam_cmd} tacplus') + if login['tacacs'].get('security_mode', '') == 'mandatory': + pam_profile = 'tacplus-mandatory' + else: + pam_profile = 'tacplus-optional' + cmd(f'pam-auth-update --enable {pam_profile}') return None |