57 lines
1.7 KiB
Plaintext
57 lines
1.7 KiB
Plaintext
|
# To opt out of the system crypto-policies configuration of krb5, remove the
|
||
|
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
|
||
|
includedir /etc/krb5.conf.d/
|
||
|
|
||
|
[logging]
|
||
|
default = FILE:/var/log/krb5libs.log
|
||
|
kdc = FILE:/var/log/krb5kdc.log
|
||
|
admin_server = FILE:/var/log/kadmind.log
|
||
|
|
||
|
[libdefaults]
|
||
|
dns_lookup_realm = false
|
||
|
ticket_lifetime = 24h
|
||
|
renew_lifetime = 7d
|
||
|
forwardable = true
|
||
|
rdns = false
|
||
|
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
|
||
|
spake_preauth_groups = edwards25519
|
||
|
dns_canonicalize_hostname = fallback
|
||
|
qualify_shortname = ""
|
||
|
default_realm = JCOLEBRAND.INFO
|
||
|
default_ccache_name = KEYRING:persistent:%{uid}
|
||
|
|
||
|
[realms]
|
||
|
JCOLEBRAND.INFO = {
|
||
|
kdc = medusa.jcolebrand.info
|
||
|
admin_server = medusa.jcolebrand.info
|
||
|
database_module = LDAP
|
||
|
}
|
||
|
|
||
|
[domain_realm]
|
||
|
.example.com = JCOLEBRAND.INFO
|
||
|
example.com = JCOLEBRAND.INFO
|
||
|
|
||
|
[dbmodules]
|
||
|
JCOLEBRAND.INFO = {
|
||
|
ldap_kerberos_container_dn = "cn=krbcontainer,dc=jcolebrand,dc=info"
|
||
|
db_library = kldap
|
||
|
ldap_kdc_dn = "cn=kdc service,ou=profile,dc=jcolebrand,dc=info"
|
||
|
ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=jcolebrand,dc=info"
|
||
|
ldap_cert_path = /etc/ssl/certs/ISRG_Root_X1.1.pem
|
||
|
ldap_servers = ldaps://jcolebrand.info
|
||
|
}
|
||
|
|
||
|
[dbmodules]
|
||
|
EXAMPLE.COM = {
|
||
|
db_library = kldap
|
||
|
}
|
||
|
|
||
|
[dbdefaults]
|
||
|
ldap_servers = ldapi:///
|
||
|
ldap_kerberos_container_dn = "cn=mit-krb5,ou=apps,dc=examle,dc=com"
|
||
|
ldap_kdc_dn = "uid=krb5-kdc,ou=dso,dc=examle,dc=com"
|
||
|
ldap_kadmind_dn = "uid=krb5-adm,ou=dso,dc=examle,dc=com"
|
||
|
ldap_service_password_file = /etc/secrets/krb5-ldap.pass
|
||
|
ldap_conns_per_server = 5
|
||
|
disable_last_success = true
|