diff options
| author | Jamie Austin <jamiea@opusv.com.au> | 2023-01-26 16:34:36 +1100 |
|---|---|---|
| committer | Jamie Austin <jamiea@opusv.com.au> | 2023-01-26 16:34:36 +1100 |
| commit | 70794c8266ffefc6660daac3bc8a63b412d7b350 (patch) | |
| tree | dc9b94123e3d68efafa63d63be54ca778ea99e9e /interface-definitions | |
| parent | 7634e16dcaaf4e08dec8bd9b92c6e731c32ef7cd (diff) | |
| download | vyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.tar.gz vyos-1x-70794c8266ffefc6660daac3bc8a63b412d7b350.zip | |
ocserv: T3896: add CLI options to configure ocserv config-per-user/group
Adds CLI configurations under VPN - OpenConnect to facilitate per user/group vpn session configurations. Validation has been added to restrict config-per-group to be exclusive to OpenConnect RADIUS authentication as the config file is looked up based on a RADIUS response attribute - as well as sanity check that the necessary configs are configured when not disabled.
Diffstat (limited to 'interface-definitions')
| -rw-r--r-- | interface-definitions/include/openconnect-config-per-x.xml.i | 54 | ||||
| -rw-r--r-- | interface-definitions/vpn-openconnect.xml.in | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/interface-definitions/include/openconnect-config-per-x.xml.i b/interface-definitions/include/openconnect-config-per-x.xml.i new file mode 100644 index 000000000..71bbdd68f --- /dev/null +++ b/interface-definitions/include/openconnect-config-per-x.xml.i @@ -0,0 +1,54 @@ +<!-- include start from openconnect-config-per-x.xml.i --> +<node name="config-per-x"> + <properties> + <help>Configures ocserv to search the configured directory for a config file matching the Group name or username</help> + </properties> + <children> + <leafNode name="mode"> + <properties> + <help>ocserv will ignore these configs if groupconfig is enabled TODO: explain this in better detail - need to make it clear this is in reference to the groupconfig vyos config that lives up one level from here</help> + <valueHelp> + <format>user</format> + <description>ocserv config file loaded by matching file in configured directory to the users username</description> + </valueHelp> + <valueHelp> + <format>group</format> + <description>ocserv config file loaded by matching RADIUS class attribute in the RADIUS server response to a file in the configured directory</description> + </valueHelp> + <constraint> + <regex>(user|group)</regex> + </constraint> + <constraintErrorMessage>Invalid config-per-x. Must be one of: user, group </constraintErrorMessage> + <completionHelp> + <list>user group</list> + </completionHelp> + </properties> + </leafNode> + <leafNode name="directory"> + <properties> + <help>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</help> + <valueHelp> + <format>filename</format> + <description>Child directory of /config/auth e.g. /config/auth/ocserv/config-per-user</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--directory --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + <leafNode name="default-config"> + <properties> + <help>Default/fallback config to use when a file cannot be found in the configured directory that matches the username/group</help> + <valueHelp> + <format>filename</format> + <description>Child directory of /config/auth e.g. /config/auth/ocserv/defaults/user.conf</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--file --parent-dir /config/auth --strict"/> + </constraint> + </properties> + </leafNode> + #include <include/generic-disable-node.xml.i> + </children> +</node> +<!-- include end -->
\ No newline at end of file diff --git a/interface-definitions/vpn-openconnect.xml.in b/interface-definitions/vpn-openconnect.xml.in index 82fe2bbc9..24d24568f 100644 --- a/interface-definitions/vpn-openconnect.xml.in +++ b/interface-definitions/vpn-openconnect.xml.in @@ -50,6 +50,7 @@ </leafNode> </children> </node> + #include <include/openconnect-config-per-x.xml.i> <leafNode name="group"> <properties> <help>Group that a client is allowed to select (from a list). Maps to RADIUS Class attribute.</help> |