# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
    dns_canonicalize_hostname = fallback
    qualify_shortname = ""
    default_realm = JCOLEBRAND.INFO
    default_ccache_name = KEYRING:persistent:%{uid}

[realms]
JCOLEBRAND.INFO = {
    kdc = medusa.jcolebrand.info
    admin_server = medusa.jcolebrand.info
    database_module = LDAP
}

[domain_realm]
.jcolebrand.info = JCOLEBRAND.INFO
jcolebrand.info = JCOLEBRAND.INFO

[dbmodules]
LDAP = {
    ldap_kerberos_container_dn = "cn=mit-krb5,ou=apps,dc=jcolebrand,dc=info"
    db_library = kldap
    ldap_kdc_dn = "cn=krb5-kdc,ou=profile,dc=jcolebrand,dc=info"
    ldap_kadmind_dn = "cn=krb5-adm,ou=profile,dc=jcolebrand,dc=info"
    ldap_cert_path = /etc/ssl/certs/ISRG_Root_X1.1.pem
    ldap_servers = ldaps://jcolebrand.info
}