summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/krb5
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/mods-available/krb5')
-rw-r--r--raddb/mods-available/krb582
1 files changed, 82 insertions, 0 deletions
diff --git a/raddb/mods-available/krb5 b/raddb/mods-available/krb5
new file mode 100644
index 0000000..c88b5fb
--- /dev/null
+++ b/raddb/mods-available/krb5
@@ -0,0 +1,82 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# Kerberos. See doc/modules/rlm_krb5 for minimal docs.
+#
+krb5 {
+ #
+ # The keytab file MUST be owned by the UID/GID used by the server.
+ # The keytab file MUST be writable by the server.
+ # The keytab file MUST NOT be readable by other users on the system.
+ # The keytab file MUST exist before the server is started.
+ #
+ keytab = ${localstatedir}/lib/radiusd/keytab
+ service_principal = name_of_principle
+
+ # Pool of krb5 contexts, this allows us to make the module multithreaded
+ # and to avoid expensive operations like resolving and opening keytabs
+ # on every request. It may also allow TCP connections to the KDC to be
+ # cached if that is supported by the version of libkrb5 used.
+ #
+ # The context pool is only used if the underlying libkrb5 reported
+ # that it was thread safe at compile time.
+ #
+ pool {
+ # Connections to create during module instantiation.
+ # If the server cannot create specified number of
+ # connections during instantiation it will exit.
+ # Set to 0 to allow the server to start without the
+ # KDC being available.
+ start = ${thread[pool].start_servers}
+
+ # Minimum number of connections to keep open
+ min = ${thread[pool].min_spare_servers}
+
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ #
+ # Setting 'max' to LESS than the number of threads means
+ # that some threads may starve, and you will see errors
+ # like 'No connections available and at max connection limit'
+ #
+ # Setting 'max' to MORE than the number of threads means
+ # that there are more connections than necessary.
+ max = ${thread[pool].max_servers}
+
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set. This should be less than or equal to "max" above.
+ spare = ${thread[pool].max_spare_servers}
+
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ uses = 0
+
+ # The lifetime (in seconds) of the connection
+ #
+ # NOTE: A setting of 0 means infinite (no limit).
+ lifetime = 0
+
+ # The idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ #
+ # NOTE: A setting of 0 means infinite (no timeout).
+ idle_timeout = 0
+
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of "idle_timeout",
+ # "uses", or "lifetime", then the total number of
+ # connections MAY fall below "min". When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the "min" connections,
+ # or increase lifetime/idle_timeout.
+ }
+}