summaryrefslogtreecommitdiff
path: root/interface-definitions/vpn-openconnect.xml.in
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-05-12 21:03:03 +0200
committerChristian Breunig <christian@breunig.cc>2023-05-12 21:06:56 +0200
commitd1abba03229128c3f2a6f718e9f14f4d7285e74d (patch)
tree43d8443adbb8fdaf6218d6a20c78c53688877797 /interface-definitions/vpn-openconnect.xml.in
parent25ddb57b66de2c0918050052a4d374d4edb905f0 (diff)
downloadvyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.tar.gz
vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.zip
ocserv: T3896: improve XML definition and add warning about 3rd party configs
When enabling identity-based-config, users can add arbitrary config keys that are processed by ocserv. The user "must know" what he is been doing, as invalid config option will make the ocserv daemon go ... whoop! Thus add a warning and inform the user about this setting.
Diffstat (limited to 'interface-definitions/vpn-openconnect.xml.in')
-rw-r--r--interface-definitions/vpn-openconnect.xml.in53
1 files changed, 52 insertions, 1 deletions
diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in
index afc2a5383..75c64a99a 100644
--- a/interface-definitions/vpn-openconnect.xml.in
+++ b/interface-definitions/vpn-openconnect.xml.in
@@ -71,7 +71,58 @@
</leafNode>
</children>
</node>
- #include <include/openconnect-identity-based-config.xml.i>
+ <node name="identity-based-config">
+ <properties>
+ <help>Include configuration file by username or RADIUS group attribute</help>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ <leafNode name="mode">
+ <properties>
+ <help>Select per user or per group configuration file - ignored if authentication group is configured</help>
+ <completionHelp>
+ <list>user group</list>
+ </completionHelp>
+ <valueHelp>
+ <format>user</format>
+ <description>Match configuration file on username</description>
+ </valueHelp>
+ <valueHelp>
+ <format>group</format>
+ <description>Match RADIUS response class attribute as file name</description>
+ </valueHelp>
+ <constraint>
+ <regex>(user|group)</regex>
+ </constraint>
+ <constraintErrorMessage>Invalid mode, must be either user or group</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="directory">
+ <properties>
+ <help>Directory to containing configuration files</help>
+ <valueHelp>
+ <format>path</format>
+ <description>Path to configuration directory, must be under /config/auth</description>
+ </valueHelp>
+ <constraint>
+ <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="default-config">
+ <properties>
+ <help>Default configuration if discrete config could not be found</help>
+ <valueHelp>
+ <format>filename</format>
+ <description>Default configuration filename, must be under /config/auth</description>
+ </valueHelp>
+ <constraint>
+ <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
<leafNode name="group">
<properties>
<help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-22 04:33:13 +0000