From 70794c8266ffefc6660daac3bc8a63b412d7b350 Mon Sep 17 00:00:00 2001 From: Jamie Austin Date: Thu, 26 Jan 2023 16:34:36 +1100 Subject: ocserv: T3896: add CLI options to configure ocserv config-per-user/group Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled. --- data/templates/ocserv/ocserv_config.j2 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'data') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index 3194354e6..ea2c9e29f 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -12,6 +12,14 @@ run-as-group = daemon {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]" +{% if "config_per_x" in authentication %} +{% if authentication.config_per_x.disabled is not vyos_defined %} +{% if "group" in authentication.config_per_x.mode %} +config-per-group = {{ authentication.config_per_x.directory }} +default-group-config = {{ authentication.config_per_x.default_config }} +{% endif %} +{% endif %} +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" @@ -24,6 +32,13 @@ auth = "plain[/run/ocserv/ocpasswd]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} +{% if "config_per_x" in authentication %} +{% if "user" in authentication.config_per_x.mode %} +config-per-user = {{ authentication.config_per_x.directory }} +default-user-config = {{ authentication.config_per_x.default_config }} +{% endif %} +{% endif %} + {% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key -- cgit v1.2.3