diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-02-25 16:34:19 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-02-25 16:34:19 +0100 |
| commit | d11b04f4f9230638fbbeb7cb21bd46de9d09d27c (patch) | |
| tree | b27229b8656412797acbb62bcbfde931da1d3fda | |
| parent | 6e0aad3a6b1a35428674f2266932528403c9702a (diff) | |
| download | vyos-1x-d11b04f4f9230638fbbeb7cb21bd46de9d09d27c.tar.gz vyos-1x-d11b04f4f9230638fbbeb7cb21bd46de9d09d27c.zip | |
login: radius: T2071: support disabling individual server
| -rw-r--r-- | interface-definitions/system-login-radius.xml.in | 12 | ||||
| -rwxr-xr-x | src/conf_mode/system-login-radius.py | 24 |
2 files changed, 29 insertions, 7 deletions
diff --git a/interface-definitions/system-login-radius.xml.in b/interface-definitions/system-login-radius.xml.in index 3d1a1b151..c5d081356 100644 --- a/interface-definitions/system-login-radius.xml.in +++ b/interface-definitions/system-login-radius.xml.in @@ -33,14 +33,20 @@ </constraint> </properties> <children> + <leafNode name="disable"> + <properties> + <help>Temporary disable this server</help> + <valueless/> + </properties> + </leafNode> <leafNode name="key"> <properties> - <help>RADIUS shared secret key</help> + <help>Shared secret key</help> </properties> </leafNode> <leafNode name="port"> <properties> - <help>RADIUS authentication port</help> + <help>Authentication port</help> <valueHelp> <format>1-65535</format> <description>Numeric IP port (default: 1812)</description> @@ -52,7 +58,7 @@ </leafNode> <leafNode name="timeout"> <properties> - <help>Timeout for RADIUS session</help> + <help>Session timeout</help> <valueHelp> <format>1-30</format> <description>Session timeout in seconds (default: 2)</description> diff --git a/src/conf_mode/system-login-radius.py b/src/conf_mode/system-login-radius.py index caa7f6b80..b1e7dce4e 100755 --- a/src/conf_mode/system-login-radius.py +++ b/src/conf_mode/system-login-radius.py @@ -29,11 +29,13 @@ radius_config_file = "/etc/pam_radius_auth.conf" radius_config_tmpl = """ # Automatically generated by VyOS # RADIUS configuration file +{%- if server %} # server[:port] shared_secret timeout (s) source_ip -{% if server -%} -{% for s in server -%} +{% for s in server %} +{%- if not s.disabled -%} {{ s.address }}:{{ s.port }} {{ s.key }} {{ s.timeout }} {% if source_address -%}{{ source_address }}{% endif %} -{% endfor -%} +{% endif %} +{%- endfor %} priv-lvl 15 mapped_priv_user radius_priv_user @@ -75,12 +77,17 @@ def get_config(): for server in conf.list_nodes(['server']): server_cfg = { 'address': server, + 'disabled': False, 'key': '', 'port': '1812', 'timeout': '2' } conf.set_level(base_level + ['server', server]) + # Check if RADIUS server was temporary disabled + if conf.exists(['disable']): + server_cfg['disabled'] = True + # RADIUS shared secret if conf.exists(['key']): server_cfg['key'] = conf.return_value(['key']) @@ -99,7 +106,16 @@ def get_config(): return radius def verify(radius): - pass + # At lease one RADIUS server must not be disabled + if len(radius['server']) > 0: + fail = True + for server in radius['server']: + if not server['disabled']: + fail = False + if fail: + raise ConfigError('At least one RADIUS server must be active.') + + return None def generate(radius): if len(radius['server']) > 0: |