1 files changed, 47 insertions, 0 deletions

diff --git a/doc/modules/rlm_krb5 b/doc/modules/rlm_krb5
new file mode 100644
index 0000000..d70017f
--- /dev/null
+++ b/doc/modules/rlm_krb5
@@ -0,0 +1,47 @@
+The `rlm_krb5` FreeRADIUS module enables the use of Kerberos 5 for
+authentication.
+
+Compilation issues
+==================
+
+MIT libraries
+-------------
+
+The `rlm_krb5` module, by default, presumes you have the MIT Kerberos 5
+distribution. Notes from that distribution:
+
+On linux, you may have to change:
+
+    deplibs_test_method="pass_all"
+
+in `../libtool`
+
+Otherwise, it complains if the krb5 libs aren't shared.
+
+Heimdal libraries
+-----------------
+
+If you are using the Heimdal Kerberos 5 distribution, pass an
+`--enable-heimdal-krb5` option to `configure`.
+
+Configuration parameters
+========================
+
+You can configure the module with the following parameters:
+
+    krb5 {
+        # Keytab containing the key used by rlm_krb5
+        keytab = /path/to/keytab
+
+        # Principal that is used by rlm_krb5
+        service_principal = radius/some.host.com
+    }
+
+Make sure the keytab is readable by the user that is used to run `radiusd` and
+that your authorization configuration really uses `rlm_krb5` to do the
+authentication. You will need to add the following to the 'authenticate'
+section of your radiusd.conf file:
+
+    Auth-Type Kerberos {
+        krb5
+    }