# -*- text -*-
#
#  $Id$

#
#  Kerberos.  See doc/modules/rlm_krb5 for minimal docs.
#
krb5 {
	#
	#  The keytab file MUST be owned by the UID/GID used by the server.
	#  The keytab file MUST be writable by the server.
	#  The keytab file MUST NOT be readable by other users on the system.
	#  The keytab file MUST exist before the server is started.
	#
	keytab = ${localstatedir}/lib/radiusd/keytab
	service_principal = name_of_principle

	#  Pool of krb5 contexts, this allows us to make the module multithreaded
	#  and to avoid expensive operations like resolving and opening keytabs
	#  on every request.  It may also allow TCP connections to the KDC to be
	#  cached if that is supported by the version of libkrb5 used.
	#
	#  The context pool is only used if the underlying libkrb5 reported
	#  that it was thread safe at compile time.
	#
	pool {
		#  Connections to create during module instantiation.
		#  If the server cannot create specified number of
		#  connections during instantiation it will exit.
		#  Set to 0 to allow the server to start without the
		#  KDC being available.
		start = ${thread[pool].start_servers}

		#  Minimum number of connections to keep open
		min = ${thread[pool].min_spare_servers}

		#  Maximum number of connections
		#
		#  If these connections are all in use and a new one
		#  is requested, the request will NOT get a connection.
		#
		#  Setting 'max' to LESS than the number of threads means
		#  that some threads may starve, and you will see errors
		#  like 'No connections available and at max connection limit'
		#
		#  Setting 'max' to MORE than the number of threads means
		#  that there are more connections than necessary.
		max = ${thread[pool].max_servers}

		#  Spare connections to be left idle
		#
		#  NOTE: Idle connections WILL be closed if "idle_timeout"
		#  is set.  This should be less than or equal to "max" above.
		spare = ${thread[pool].max_spare_servers}

		#  Number of uses before the connection is closed
		#
		#  0 means "infinite"
		uses = 0

		#  The lifetime (in seconds) of the connection
		#
		#  NOTE: A setting of 0 means infinite (no limit).
		lifetime = 0

		#  The idle timeout (in seconds).  A connection which is
		#  unused for this length of time will be closed.
		#
		#  NOTE: A setting of 0 means infinite (no timeout).
		idle_timeout = 0

		#  NOTE: All configuration settings are enforced.  If a
		#  connection is closed because of "idle_timeout",
		#  "uses", or "lifetime", then the total number of
		#  connections MAY fall below "min".  When that
		#  happens, it will open a new connection.  It will
		#  also log a WARNING message.
		#
		#  The solution is to either lower the "min" connections,
		#  or increase lifetime/idle_timeout.
	}
}