From d11b04f4f9230638fbbeb7cb21bd46de9d09d27c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 25 Feb 2020 16:34:19 +0100 Subject: login: radius: T2071: support disabling individual server --- interface-definitions/system-login-radius.xml.in | 12 +++++++++--- src/conf_mode/system-login-radius.py | 24 ++++++++++++++++++++---- 2 files changed, 29 insertions(+), 7 deletions(-) diff --git a/interface-definitions/system-login-radius.xml.in b/interface-definitions/system-login-radius.xml.in index 3d1a1b151..c5d081356 100644 --- a/interface-definitions/system-login-radius.xml.in +++ b/interface-definitions/system-login-radius.xml.in @@ -33,14 +33,20 @@ + + + Temporary disable this server + + + - RADIUS shared secret key + Shared secret key - RADIUS authentication port + Authentication port 1-65535 Numeric IP port (default: 1812) @@ -52,7 +58,7 @@ - Timeout for RADIUS session + Session timeout 1-30 Session timeout in seconds (default: 2) diff --git a/src/conf_mode/system-login-radius.py b/src/conf_mode/system-login-radius.py index caa7f6b80..b1e7dce4e 100755 --- a/src/conf_mode/system-login-radius.py +++ b/src/conf_mode/system-login-radius.py @@ -29,11 +29,13 @@ radius_config_file = "/etc/pam_radius_auth.conf" radius_config_tmpl = """ # Automatically generated by VyOS # RADIUS configuration file +{%- if server %} # server[:port] shared_secret timeout (s) source_ip -{% if server -%} -{% for s in server -%} +{% for s in server %} +{%- if not s.disabled -%} {{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if source_address -%}{{ source_address }}{% endif %} -{% endfor -%} +{% endif %} +{%- endfor %} priv-lvl 15 mapped_priv_user radius_priv_user @@ -75,12 +77,17 @@ def get_config(): for server in conf.list_nodes(['server']): server_cfg = { 'address': server, + 'disabled': False, 'key': '', 'port': '1812', 'timeout': '2' } conf.set_level(base_level + ['server', server]) + # Check if RADIUS server was temporary disabled + if conf.exists(['disable']): + server_cfg['disabled'] = True + # RADIUS shared secret if conf.exists(['key']): server_cfg['key'] = conf.return_value(['key']) @@ -99,7 +106,16 @@ def get_config(): return radius def verify(radius): - pass + # At lease one RADIUS server must not be disabled + if len(radius['server']) > 0: + fail = True + for server in radius['server']: + if not server['disabled']: + fail = False + if fail: + raise ConfigError('At least one RADIUS server must be active.') + + return None def generate(radius): if len(radius['server']) > 0: -- cgit v1.2.3