T3896: Drop cserv local user req, add groupconfig

From ocserv documentation:
```
If the groupconfig option is set, then config-per-user will be
overriden, and all configuration will be read from radius. That
also includes the Acct-Interim-Interval, and Session-Timeout
values.
```
Implement yes/no configuration and parameter handling during jinja
rendering.

Fix bug wherein openconnect-server configuration requires creation
of local user accounts even when RADIUS authentication is used.

Testing:
  Set the groupconfig=yes param and observed change in generated
/run/ocserv/ocserv.conf.
  Removed the local users via `delete vpn openconnect
authentication local-users` and observed commit & service operation

3 files changed, 34 insertions, 9 deletions

diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index e0cad5181..1cbb52ccf 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,7 +7,11 @@ run-as-user = nobody
 run-as-group = daemon
 
 {% if "radius" in authentication.mode %}
+{%      if "yes" in authentication.radius.groupconfig %}
+auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
+{%      else %}
 auth = "radius [config=/run/ocserv/radiusclient.conf]"
+{%      endif %}
 {% elif "local" in authentication.mode %}
 {%     if authentication.mode.local == "password-otp" %}
 auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index 6309863c5..3ab8dd815 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -144,6 +144,26 @@
                     </properties>
                     <defaultValue>2</defaultValue>
                   </leafNode>
+                  <leafNode name="groupconfig">
+                    <properties>
+                      <help>If the groupconfig option is set to yes, then config-per-user will be overriden, and all configuration will be read from radius.</help>
+                      <completionHelp>
+                        <list>yes no</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>yes</format>
+                        <description>Enable RADIUS acquisition of group properties</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>no</format>
+                        <description>Disable RADIUS acquisition of group properties</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(yes|no)</regex>
+                      </constraint>
+                    </properties>
+                    <defaultValue>no</defaultValue>
+                  </leafNode>
                 </children>
               </node>
             </children>
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py
index a3e774678..4e2a3f58b 100755
--- a/src/conf_mode/vpn_openconnect.py
+++ b/src/conf_mode/vpn_openconnect.py
@@ -57,15 +57,16 @@ def get_config():
     default_values = defaults(base)
     ocserv = dict_merge(default_values, ocserv)
 
-    # workaround a "know limitation" - https://phabricator.vyos.net/T2665
-    del ocserv['authentication']['local_users']['username']['otp']
-    if not ocserv["authentication"]["local_users"]["username"]:
-        raise ConfigError('openconnect mode local required at least one user')
-    default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp']
-    for user, params in ocserv['authentication']['local_users']['username'].items():
-        # Not every configuration requires OTP settings
-        if ocserv['authentication']['local_users']['username'][user].get('otp'):
-            ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp'])
+    if "local" in ocserv["authentication"]["mode"]:
+        # workaround a "know limitation" - https://phabricator.vyos.net/T2665
+        del ocserv['authentication']['local_users']['username']['otp']
+        if not ocserv["authentication"]["local_users"]["username"]:
+            raise ConfigError('openconnect mode local required at least one user')
+        default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp']
+        for user, params in ocserv['authentication']['local_users']['username'].items():
+            # Not every configuration requires OTP settings
+            if ocserv['authentication']['local_users']['username'][user].get('otp'):
+                ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp'])
 
     if ocserv:
         ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'),