# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_realm = JCOLEBRAND.INFO
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
JCOLEBRAND.INFO = {
    kdc = medusa.jcolebrand.info
    admin_server = medusa.jcolebrand.info
    database_module = LDAP
}

[domain_realm]
.example.com = JCOLEBRAND.INFO
example.com = JCOLEBRAND.INFO

[dbmodules]
JCOLEBRAND.INFO = {
    ldap_kerberos_container_dn = "cn=krbcontainer,dc=jcolebrand,dc=info"
    db_library = kldap
    ldap_kdc_dn = "cn=kdc service,ou=profile,dc=jcolebrand,dc=info"
    ldap_kadmind_dn = "cn=kadmin service,ou=profile,dc=jcolebrand,dc=info"
    ldap_cert_path = /etc/ssl/certs/ISRG_Root_X1.1.pem
    ldap_servers = ldaps://jcolebrand.info
}

[dbmodules]
    EXAMPLE.COM = {
        db_library = kldap
    }

[dbdefaults]
    ldap_servers               = ldapi:///
    ldap_kerberos_container_dn = "cn=mit-krb5,ou=apps,dc=examle,dc=com"
    ldap_kdc_dn                = "uid=krb5-kdc,ou=dso,dc=examle,dc=com"
    ldap_kadmind_dn            = "uid=krb5-adm,ou=dso,dc=examle,dc=com"
    ldap_service_password_file = /etc/secrets/krb5-ldap.pass
    ldap_conns_per_server      = 5
    disable_last_success       = true