summaryrefslogtreecommitdiff
path: root/data/templates/ocserv
diff options
context:
space:
mode:
authorRageLtMan <rageltman [at] sempervictus>2022-08-17 18:05:02 -0400
committerRageLtMan <rageltman [at] sempervictus>2022-08-18 09:58:18 -0400
commita87ada1c4e9d5a426282c900207964d09d2a1020 (patch)
tree16f6858f5f66318eb9811c9941601f93c133e493 /data/templates/ocserv
parent1f880973e221b91ac843a27d2e4c0b3de1880b97 (diff)
downloadvyos-1x-a87ada1c4e9d5a426282c900207964d09d2a1020.tar.gz
vyos-1x-a87ada1c4e9d5a426282c900207964d09d2a1020.zip
T3896: Drop cserv local user req, add groupconfig
From ocserv documentation: ``` If the groupconfig option is set, then config-per-user will be overriden, and all configuration will be read from radius. That also includes the Acct-Interim-Interval, and Session-Timeout values. ``` Implement yes/no configuration and parameter handling during jinja rendering. Fix bug wherein openconnect-server configuration requires creation of local user accounts even when RADIUS authentication is used. Testing: Set the groupconfig=yes param and observed change in generated /run/ocserv/ocserv.conf. Removed the local users via `delete vpn openconnect authentication local-users` and observed commit & service operation
Diffstat (limited to 'data/templates/ocserv')
-rw-r--r--data/templates/ocserv/ocserv_config.j24
1 files changed, 4 insertions, 0 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index e0cad5181..1cbb52ccf 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -7,7 +7,11 @@ run-as-user = nobody
run-as-group = daemon
{% if "radius" in authentication.mode %}
+{% if "yes" in authentication.radius.groupconfig %}
+auth = "radius [config=/run/ocserv/radiusclient.conf,groupconfig=true]"
+{% else %}
auth = "radius [config=/run/ocserv/radiusclient.conf]"
+{% endif %}
{% elif "local" in authentication.mode %}
{% if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"