From ccd9d004a3d91f4314f8252b1bcd7ce73ee7a982 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 25 May 2015 10:18:24 +0200
Subject: [PATCH] updated to 0.10.5

Resolves: rhbz#1215326
---
 .gitignore  |  2 ++
 ocserv.conf | 38 ++++++++++++++++++++++----------------
 ocserv.spec |  5 ++++-
 sources     |  4 ++--
 4 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/.gitignore b/.gitignore
index d392fba..183bef7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -36,3 +36,5 @@
 /ocserv-0.10.2.tar.xz
 /ocserv-0.10.4.tar.xz.sig
 /ocserv-0.10.4.tar.xz
+/ocserv-0.10.5.tar.xz.sig
+/ocserv-0.10.5.tar.xz
diff --git a/ocserv.conf b/ocserv.conf
index b0982e6..035d9ba 100644
--- a/ocserv.conf
+++ b/ocserv.conf
@@ -19,20 +19,20 @@
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries.
 #
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
+# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:
 #  The radius option requires specifying freeradius-client configuration
 # file. If the groupconfig option is set, then config-per-user will be overriden,
-# and all configuration will be read from radius. The supported atributes for
-# radius configuration are:
-# Group-Name, Framed-IPv6-Address, Framed-IPv6-Prefix, DNS-Server-IPv6-Address,
-# Framed-IP-Address, Framed-IP-Netmask, MS-Primary-DNS-Server, MS-Secondary-DNS-Server
+# and all configuration will be read from radius. The 'override-interim-updates' if set to
+# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
 #
-# gssapi[keytab=/etc/key.tab,require-local-user-map=false]
+# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
 #  The gssapi option allows to use authentication methods supported by GSSAPI,
 # such as Kerberos tickets with ocserv. It should be best used as an alternative
 # to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
 # tickets and without tickets to login. The default value for require-local-user-map
-# is true.
+# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
+# to have been issued within the provided number of seconds. That option is used to
+# restrict logins even if the KDC provides long time TGT tickets.
 
 auth = "pam"
 #auth = "pam[gid-min=1000]"
@@ -45,7 +45,7 @@ auth = "pam"
 # will be sufficient to login.
 #enable-auth = certificate
 #enable-auth = gssapi
-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true]"
+#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
 
 # Accounting methods available:
 # pam: can only be combined with PAM authentication method, it provides
@@ -245,6 +245,10 @@ auth-timeout = 40
 # before being disconnected. Unset to disable.
 #idle-timeout = 1200
 
+# The time (in seconds) that a client is allowed to stay connected
+# Unset to disable.
+#session-timeout = 86400
+
 # The time (in seconds) that a mobile client is allowed to stay idle (no
 # traffic) before being disconnected. Unset to disable.
 #mobile-idle-timeout = 2400
@@ -283,6 +287,11 @@ ban-reset-time = 300
 # between different networks.
 cookie-timeout = 300
 
+# If this is enabled (not recommended) the cookies will stay
+# valid even after a user manually disconnects, and until they
+# expire. This may improve roaming with some broken clients.
+#persistent-cookies = true
+
 # Whether roaming is allowed, i.e., if true a cookie is
 # restricted to a single IP address and cannot be re-used
 # from a different IP.
@@ -290,7 +299,8 @@ deny-roaming = false
 
 # ReKey time (in seconds)
 # ocserv will ask the client to refresh keys periodically once
-# this amount of seconds is elapsed. Set to zero to disable.
+# this amount of seconds is elapsed. Set to zero to disable (note
+# that, some clients fail if rekey is disabled).
 rekey-time = 172800
 
 # ReKey method
@@ -438,8 +448,9 @@ ping-leases = false
 # per group. Each file name on these directories must match the username
 # or the groupname.
 # The options allowed in the configuration files are dns, nbns,
-#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route,
-#  net-priority, deny-roaming, no-udp, user-profile, and cgroup.
+#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
+#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
+#  user-profile, cgroup, stats-report-time, and session-timeout.
 #
 # Note that the 'iroute' option allows to add routes on the server
 # based on a user or group. The syntax depends on the input accepted
@@ -499,11 +510,6 @@ cisco-client-compat = true
 # This file must be accessible from inside the worker's chroot. 
 user-profile = profile.xml
 
-# Binary files that may be downloaded by the CISCO client. Must
-# be within any chroot environment. Normally you don't need
-# to use this option.
-#binary-files = /path/to/binaries
-
 #Advanced options
 
 # Option to allow sending arbitrary custom headers to the client after
diff --git a/ocserv.spec b/ocserv.spec
index d5a267d..56a3e82 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,7 +1,7 @@
 %global _hardened_build 1
 
 Name:		ocserv
-Version:	0.10.4
+Version:	0.10.5
 Release:	1%{?dist}
 Summary:	OpenConnect SSL VPN server
 
@@ -156,6 +156,9 @@ rm -rf %{buildroot}
 %{_localstatedir}/lib/ocserv/profile.xml
 
 %changelog
+* Mon May 25 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.5-1
+- new upstream release (#1215326)
+
 * Mon Apr 27 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 0.10.4-1
 - new upstream release
 
diff --git a/sources b/sources
index 60962f6..30c22ea 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-6605003c40a206698f90475f9aa2a548  ocserv-0.10.4.tar.xz.sig
-6df31778642320ea7b90f314c4c9a897  ocserv-0.10.4.tar.xz
+7396cedfa7071a4c6d5d243435ce663c  ocserv-0.10.5.tar.xz.sig
+17ee861f352d6ef7cd33114819b215ba  ocserv-0.10.5.tar.xz