From 0b47b305def1cac917a775290eceb2f8b61f21a8 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Wed, 21 Dec 2016 09:04:50 +0100
Subject: [PATCH] improved documentation of user-profile option

---
 doc/sample.config   | 27 +++++++++++++++++++--------
 src/ocserv-args.def | 27 +++++++++++++++++++--------
 2 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/doc/sample.config b/doc/sample.config
index 5a735ab9..b661e615 100644
--- a/doc/sample.config
+++ b/doc/sample.config
@@ -588,6 +588,25 @@ no-route = 192.168.5.0/255.255.255.0
 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
 
+# Client profile xml. This can be used to advertise alternative servers
+# to the client. A minimal file can be:
+# <?xml version="1.0" encoding="UTF-8"?>
+# <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
+#	<ServerList>
+#		<HostEntry>
+#	            <HostName>VPN Server name</HostName>
+#	            <HostAddress>localhost</HostAddress>
+#		</HostEntry>
+#	</ServerList>
+# </AnyConnectProfile>
+#
+# Other fields may be used by some of the CISCO clients.
+# This file must be accessible from inside the worker's chroot. 
+# Note that enabling this option is not recommended as it will allow
+# the worker processes to open arbitrary files (when isolate-workers is
+# set to true).
+#user-profile = profile.xml
+
 #
 # The following options are for (experimental) AnyConnect client 
 # compatibility. 
@@ -611,14 +630,6 @@ cisco-client-compat = true
 # by the dtls-psk protocol supported by openconnect 7.08+.
 dtls-legacy = true
 
-# Client profile xml. A sample file exists in doc/profile.xml.
-# It is required by some of the CISCO clients.
-# This file must be accessible from inside the worker's chroot. 
-# Note that enabling this option is not recommended as it will allow
-# the worker processes to open arbitrary files (when isolate-workers is
-# set to true).
-#user-profile = /path/to/file.xml
-
 #Advanced options
 
 # Option to allow sending arbitrary custom headers to the client after
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 769cac73..80707eee 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -705,6 +705,25 @@ no-route = 192.168.5.0/255.255.255.0
 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
 #kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
 
+# Client profile xml. This can be used to advertise alternative servers
+# to the client. A minimal file can be:
+# <?xml version="1.0" encoding="UTF-8"?>
+# <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
+#	<ServerList>
+#		<HostEntry>
+#	            <HostName>VPN Server name</HostName>
+#	            <HostAddress>localhost</HostAddress>
+#		</HostEntry>
+#	</ServerList>
+# </AnyConnectProfile>
+#
+# Other fields may be used by some of the CISCO clients.
+# This file must be accessible from inside the worker's chroot. 
+# Note that enabling this option is not recommended as it will allow
+# the worker processes to open arbitrary files (when isolate-workers is
+# set to true).
+#user-profile = profile.xml
+
 #
 # The following options are for (experimental) AnyConnect client 
 # compatibility. 
@@ -728,14 +747,6 @@ cisco-client-compat = true
 # by the dtls-psk protocol supported by openconnect 7.08+.
 dtls-legacy = true
 
-# Client profile xml. A sample file exists in doc/profile.xml.
-# It is required by some of the CISCO clients.
-# This file must be accessible from inside the worker's chroot.
-# Note that enabling this option is not recommended as it will allow
-# the worker processes to open arbitrary files (when isolate-workers is
-# set to true).
-#user-profile = /path/to/file.xml
-
 #Advanced options
 
 # Option to allow sending arbitrary custom headers to the client after