summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/tests/kdc/krb5-bx509.conf.in
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/tests/kdc/krb5-bx509.conf.in')
-rw-r--r--third_party/heimdal/tests/kdc/krb5-bx509.conf.in182
1 files changed, 182 insertions, 0 deletions
diff --git a/third_party/heimdal/tests/kdc/krb5-bx509.conf.in b/third_party/heimdal/tests/kdc/krb5-bx509.conf.in
new file mode 100644
index 0000000..2cd6fef
--- /dev/null
+++ b/third_party/heimdal/tests/kdc/krb5-bx509.conf.in
@@ -0,0 +1,182 @@
+[libdefaults]
+ default_realm = TEST.H5L.SE
+ no-addresses = TRUE
+ allow_weak_crypto = TRUE
+ rdns = false
+ fcache_strict_checking = false
+ name_canon_rules = as-is:realm=TEST.H5L.SE
+
+[appdefaults]
+ pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
+ pkinit_pool = FILE:@objdir@/pkinit-anchor.pem
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = localhost:@port@
+ pkinit_win2k = @w2k@
+ }
+
+[kdc]
+ check-ticket-addresses = no
+ warn_ticket_addresses = yes
+ num-kdc-processes = 1
+ strict-nametypes = true
+ enable-pkinit = true
+ pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+ pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+ pkinit_mappings_file = @srcdir@/pki-mapping
+
+ # Locate kdc plugins for testing
+ plugin_dir = @objdir@/../../kdc/.libs
+
+ enable-pkinit = true
+ pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
+ pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_max_life_from_cert = 5d
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/log.current-db.log
+ }
+
+ negotiate_token_validator = {
+ keytab = FILE:@objdir@/kt
+ }
+
+ realms = {
+ TEST.H5L.SE = {
+ kx509 = {
+ user = {
+ include_pkinit_san = true
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ hostbased_service = {
+ HTTP = {
+ include_dnsname_san = true
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ }
+ client = {
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ekus = 1.3.6.1.5.5.7.3.1
+ ekus = 1.3.6.1.5.5.7.3.2
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+ }
+
+[hdb]
+ db-dir = @objdir@
+
+[bx509]
+ realms = {
+ TEST.H5L.SE = {
+ # Default (no cert exts requested)
+ user = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ }
+ hostbased_service = {
+ # Only for HTTP services
+ HTTP = {
+ # Use an issuer for server certs:
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ include_dnsname_san = true
+ # Don't bother with a template
+ }
+ }
+ # Non-default certs (extensions requested)
+ #
+ # Use no templates -- get empty subject names,
+ # use SANs.
+ #
+ # Use appropriate issuers.
+ client = {
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+
+[get-tgt]
+ no_addresses = true
+ allow_addresses = true
+ realms = {
+ TEST.H5L.SE = {
+ # Default (no cert exts requested)
+ client = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ allow_extra_lifetime = true
+ max_cert_lifetime = 7d
+ force_cert_lifetime = 2d
+ }
+ user = {
+ # Use an issuer for user certs:
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
+ ekus = 1.3.6.1.5.5.7.3.2
+ include_pkinit_san = true
+ allow_extra_lifetime = true
+ max_cert_lifetime = 7d
+ force_cert_lifetime = 2d
+ }
+ hostbased_service = {
+ # Only for HTTP services
+ HTTP = {
+ # Use an issuer for server certs:
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ include_dnsname_san = true
+ # Don't bother with a template
+ }
+ }
+ # Non-default certs (extensions requested)
+ #
+ # Use no templates -- get empty subject names,
+ # use SANs.
+ #
+ # Use appropriate issuers.
+ client = {
+ ca = PEM-FILE:@objdir@/user-issuer.pem
+ }
+ server = {
+ ca = PEM-FILE:@objdir@/server-issuer.pem
+ }
+ mixed = {
+ ca = PEM-FILE:@objdir@/mixed-issuer.pem
+ }
+ }
+ }
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ bx509d = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+[domain_realm]
+ . = TEST.H5L.SE
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-30 22:05:38 +0000