[libdefaults]
	default_realm = TEST.H5L.SE
	no-addresses = TRUE
	allow_weak_crypto = TRUE
        rdns = false
        fcache_strict_checking = false
        name_canon_rules = as-is:realm=TEST.H5L.SE

[appdefaults]
	pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
	pkinit_pool = FILE:@objdir@/pkinit-anchor.pem

[realms]
	TEST.H5L.SE = {
		kdc = localhost:@port@
		pkinit_win2k = @w2k@
	}

[kdc]
        check-ticket-addresses = no
        warn_ticket_addresses = yes
        num-kdc-processes = 1
        strict-nametypes = true
	enable-pkinit = true
        pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
	pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
	pkinit_mappings_file = @srcdir@/pki-mapping

        # Locate kdc plugins for testing
        plugin_dir =  @objdir@/../../kdc/.libs

        enable-pkinit = true
        pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
        pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
        pkinit_mappings_file = @srcdir@/pki-mapping
        pkinit_max_life_from_cert = 5d
 
	database = {
		dbname = @objdir@/current-db
		realm = TEST.H5L.SE
		mkey_file = @objdir@/mkey.file
                log_file = @objdir@/log.current-db.log
	}

        negotiate_token_validator = {
                keytab = FILE:@objdir@/kt
        }

        realms = {
                TEST.H5L.SE = {
                        kx509 = {
                                user = {
                                        include_pkinit_san = true
                                        subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
                                        ekus = 1.3.6.1.5.5.7.3.2
                                        ca = PEM-FILE:@objdir@/user-issuer.pem
                                }
                                hostbased_service = {
                                        HTTP = {
                                                include_dnsname_san = true
                                                ekus = 1.3.6.1.5.5.7.3.1
                                                ca = PEM-FILE:@objdir@/server-issuer.pem
                                        }
                                }
                                client = {
                                        ekus = 1.3.6.1.5.5.7.3.2
                                        ca = PEM-FILE:@objdir@/user-issuer.pem
                                }
                                server = {
                                        ekus = 1.3.6.1.5.5.7.3.1
                                        ca = PEM-FILE:@objdir@/server-issuer.pem
                                }
                                mixed = {
                                        ekus = 1.3.6.1.5.5.7.3.1
                                        ekus = 1.3.6.1.5.5.7.3.2
                                        ca = PEM-FILE:@objdir@/mixed-issuer.pem
                                }
                        }
                }
        }

[hdb]
	db-dir = @objdir@
 
[bx509]
        realms = {
                TEST.H5L.SE = {
                        # Default (no cert exts requested)
                        user = {
                                # Use an issuer for user certs:
                                ca = PEM-FILE:@objdir@/user-issuer.pem
                                subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
                                ekus = 1.3.6.1.5.5.7.3.2
                                include_pkinit_san = true
                        }
                        hostbased_service = {
                                # Only for HTTP services
                                HTTP = {
                                        # Use an issuer for server certs:
                                        ca = PEM-FILE:@objdir@/server-issuer.pem
                                        include_dnsname_san = true
                                        # Don't bother with a template
                                }
                        }
                        # Non-default certs (extensions requested)
                        #
                        # Use no templates -- get empty subject names,
                        # use SANs.
                        #
                        # Use appropriate issuers.
                        client = {
                                ca = PEM-FILE:@objdir@/user-issuer.pem
                        }
                        server = {
                                ca = PEM-FILE:@objdir@/server-issuer.pem
                        }
                        mixed = {
                                ca = PEM-FILE:@objdir@/mixed-issuer.pem
                        }
                }
        }

[get-tgt]
        no_addresses = true
        allow_addresses = true
        realms = {
                TEST.H5L.SE = {
                        # Default (no cert exts requested)
                        client = {
                                # Use an issuer for user certs:
                                ca = PEM-FILE:@objdir@/user-issuer.pem
                                subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
                                ekus = 1.3.6.1.5.5.7.3.2
                                include_pkinit_san = true
                                allow_extra_lifetime = true
                                max_cert_lifetime = 7d
                                force_cert_lifetime = 2d
                        }
                        user = {
                                # Use an issuer for user certs:
                                ca = PEM-FILE:@objdir@/user-issuer.pem
                                subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
                                ekus = 1.3.6.1.5.5.7.3.2
                                include_pkinit_san = true
                                allow_extra_lifetime = true
                                max_cert_lifetime = 7d
                                force_cert_lifetime = 2d
                        }
                        hostbased_service = {
                                # Only for HTTP services
                                HTTP = {
                                        # Use an issuer for server certs:
                                        ca = PEM-FILE:@objdir@/server-issuer.pem
                                        include_dnsname_san = true
                                        # Don't bother with a template
                                }
                        }
                        # Non-default certs (extensions requested)
                        #
                        # Use no templates -- get empty subject names,
                        # use SANs.
                        #
                        # Use appropriate issuers.
                        client = {
                                ca = PEM-FILE:@objdir@/user-issuer.pem
                        }
                        server = {
                                ca = PEM-FILE:@objdir@/server-issuer.pem
                        }
                        mixed = {
                                ca = PEM-FILE:@objdir@/mixed-issuer.pem
                        }
                }
        }

[logging]
	kdc = 0-/FILE:@objdir@/messages.log
	bx509d = 0-/FILE:@objdir@/messages.log
	default = 0-/FILE:@objdir@/messages.log

[domain_realm]
        . = TEST.H5L.SE