From a87ada1c4e9d5a426282c900207964d09d2a1020 Mon Sep 17 00:00:00 2001 From: RageLtMan Date: Wed, 17 Aug 2022 18:05:02 -0400 Subject: T3896: Drop cserv local user req, add groupconfig From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation --- data/templates/ocserv/ocserv_config.j2 | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'data') diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2 index e0cad5181..1cbb52ccf 100644 --- a/data/templates/ocserv/ocserv_config.j2 +++ b/data/templates/ocserv/ocserv_config.j2 @@ -7,7 +7,11 @@ run-as-user = nobody run-as-group = daemon {% if "radius" in authentication.mode %} +{% if "yes" in authentication.radius.groupconfig %} +auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]" +{% else %} auth = "radius [config=/run/ocserv/radiusclient.conf]" +{% endif %} {% elif "local" in authentication.mode %} {% if authentication.mode.local == "password-otp" %} auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" -- cgit v1.2.3