diff options
author | Christian Breunig <christian@breunig.cc> | 2023-05-12 21:03:03 +0200 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2023-05-12 21:06:56 +0200 |
commit | d1abba03229128c3f2a6f718e9f14f4d7285e74d (patch) | |
tree | 43d8443adbb8fdaf6218d6a20c78c53688877797 /src/conf_mode/vpn_openconnect.py | |
parent | 25ddb57b66de2c0918050052a4d374d4edb905f0 (diff) | |
download | vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.tar.gz vyos-1x-d1abba03229128c3f2a6f718e9f14f4d7285e74d.zip |
ocserv: T3896: improve XML definition and add warning about 3rd party configs
When enabling identity-based-config, users can add arbitrary config keys
that are processed by ocserv. The user "must know" what he is been doing, as
invalid config option will make the ocserv daemon go ... whoop!
Thus add a warning and inform the user about this setting.
Diffstat (limited to 'src/conf_mode/vpn_openconnect.py')
-rwxr-xr-x | src/conf_mode/vpn_openconnect.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 7b3325d95..83021a3e6 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -17,6 +17,7 @@ import os from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.pki import wrap_certificate @@ -173,9 +174,11 @@ def verify(ocserv): users_wo_pswd.append(user) if users_wo_pswd: raise ConfigError(f'password required for users:\n{users_wo_pswd}') + # Validate that if identity-based-config is configured all child config nodes are set if 'identity_based_config' in ocserv["authentication"]: if 'disabled' not in ocserv["authentication"]["identity_based_config"]: + Warning("Identity based configuration files is a 3rd party addition. Use at your own risk, this might break the ocserv daemon!") if 'mode' not in ocserv["authentication"]["identity_based_config"]: raise ConfigError('OpenConnect radius identity-based-config enabled but mode not selected') elif 'group' in ocserv["authentication"]["identity_based_config"]["mode"] and "radius" not in ocserv["authentication"]["mode"]: |