diff options
Diffstat (limited to 'raddb/mods-available/krb5')
-rw-r--r-- | raddb/mods-available/krb5 | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/raddb/mods-available/krb5 b/raddb/mods-available/krb5 new file mode 100644 index 0000000..c88b5fb --- /dev/null +++ b/raddb/mods-available/krb5 @@ -0,0 +1,82 @@ +# -*- text -*- +# +# $Id$ + +# +# Kerberos. See doc/modules/rlm_krb5 for minimal docs. +# +krb5 { + # + # The keytab file MUST be owned by the UID/GID used by the server. + # The keytab file MUST be writable by the server. + # The keytab file MUST NOT be readable by other users on the system. + # The keytab file MUST exist before the server is started. + # + keytab = ${localstatedir}/lib/radiusd/keytab + service_principal = name_of_principle + + # Pool of krb5 contexts, this allows us to make the module multithreaded + # and to avoid expensive operations like resolving and opening keytabs + # on every request. It may also allow TCP connections to the KDC to be + # cached if that is supported by the version of libkrb5 used. + # + # The context pool is only used if the underlying libkrb5 reported + # that it was thread safe at compile time. + # + pool { + # Connections to create during module instantiation. + # If the server cannot create specified number of + # connections during instantiation it will exit. + # Set to 0 to allow the server to start without the + # KDC being available. + start = ${thread[pool].start_servers} + + # Minimum number of connections to keep open + min = ${thread[pool].min_spare_servers} + + # Maximum number of connections + # + # If these connections are all in use and a new one + # is requested, the request will NOT get a connection. + # + # Setting 'max' to LESS than the number of threads means + # that some threads may starve, and you will see errors + # like 'No connections available and at max connection limit' + # + # Setting 'max' to MORE than the number of threads means + # that there are more connections than necessary. + max = ${thread[pool].max_servers} + + # Spare connections to be left idle + # + # NOTE: Idle connections WILL be closed if "idle_timeout" + # is set. This should be less than or equal to "max" above. + spare = ${thread[pool].max_spare_servers} + + # Number of uses before the connection is closed + # + # 0 means "infinite" + uses = 0 + + # The lifetime (in seconds) of the connection + # + # NOTE: A setting of 0 means infinite (no limit). + lifetime = 0 + + # The idle timeout (in seconds). A connection which is + # unused for this length of time will be closed. + # + # NOTE: A setting of 0 means infinite (no timeout). + idle_timeout = 0 + + # NOTE: All configuration settings are enforced. If a + # connection is closed because of "idle_timeout", + # "uses", or "lifetime", then the total number of + # connections MAY fall below "min". When that + # happens, it will open a new connection. It will + # also log a WARNING message. + # + # The solution is to either lower the "min" connections, + # or increase lifetime/idle_timeout. + } +} |