summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorJamie Austin <jamiea@opusv.com.au>2023-01-26 16:34:36 +1100
committerJamie Austin <jamiea@opusv.com.au>2023-01-26 16:34:36 +1100
commit70794c8266ffefc6660daac3bc8a63b412d7b350 (patch)
treedc9b94123e3d68efafa63d63be54ca778ea99e9e /data
parent7634e16dcaaf4e08dec8bd9b92c6e731c32ef7cd (diff)
downloadvyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.tar.gz
vyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.zip
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled.
Diffstat (limited to 'data')
-rw-r--r--data/templates/ocserv/ocserv_config.j215
1 files changed, 15 insertions, 0 deletions
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 3194354e6..ea2c9e29f 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -12,6 +12,14 @@ run-as-group = daemon
{% if "radius" in authentication.mode %}
auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
+{% if "config_per_x" in authentication %}
+{% if authentication.config_per_x.disabled is not vyos_defined %}
+{% if "group" in authentication.config_per_x.mode %}
+config-per-group = {{ authentication.config_per_x.directory }}
+default-group-config = {{ authentication.config_per_x.default_config }}
+{% endif %}
+{% endif %}
+{% endif %}
{% elif "local" in authentication.mode %}
{% if authentication.mode.local == "password-otp" %}
auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]"
@@ -24,6 +32,13 @@ auth = "plain[/run/ocserv/ocpasswd]"
auth = "plain[/run/ocserv/ocpasswd]"
{% endif %}
+{% if "config_per_x" in authentication %}
+{% if "user" in authentication.config_per_x.mode %}
+config-per-user = {{ authentication.config_per_x.directory }}
+default-user-config = {{ authentication.config_per_x.default_config }}
+{% endif %}
+{% endif %}
+
{% if ssl.certificate is vyos_defined %}
server-cert = /run/ocserv/cert.pem
server-key = /run/ocserv/cert.key