2 default_realm = TEST.H5L.SE
4 allow_weak_crypto = TRUE
6 fcache_strict_checking = false
7 name_canon_rules = as-is:realm=TEST.H5L.SE
10 pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
11 pkinit_pool = FILE:@objdir@/pkinit-anchor.pem
15 kdc = localhost:@port@
20 check-ticket-addresses = no
21 warn_ticket_addresses = yes
23 strict-nametypes = true
25 pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
26 pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
27 pkinit_mappings_file = @srcdir@/pki-mapping
29 # Locate kdc plugins for testing
30 plugin_dir = @objdir@/../../kdc/.libs
32 # Configure kdc plugins for testing
33 simple_csr_authorizer_directory = @objdir@/simple_csr_authz
36 pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
37 pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
38 pkinit_mappings_file = @srcdir@/pki-mapping
39 pkinit_max_life_from_cert = 5d
42 dbname = @objdir@/current-db
44 mkey_file = @objdir@/mkey.file
45 log_file = @objdir@/log.current-db.log
48 negotiate_token_validator = {
49 keytab = FILE:@objdir@/kt
56 include_pkinit_san = true
57 subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
58 ekus = 1.3.6.1.5.5.7.3.2
59 ca = PEM-FILE:@objdir@/user-issuer.pem
63 include_dnsname_san = true
64 ekus = 1.3.6.1.5.5.7.3.1
65 ca = PEM-FILE:@objdir@/server-issuer.pem
69 ekus = 1.3.6.1.5.5.7.3.2
70 ca = PEM-FILE:@objdir@/user-issuer.pem
73 ekus = 1.3.6.1.5.5.7.3.1
74 ca = PEM-FILE:@objdir@/server-issuer.pem
77 ekus = 1.3.6.1.5.5.7.3.1
78 ekus = 1.3.6.1.5.5.7.3.2
79 ca = PEM-FILE:@objdir@/mixed-issuer.pem
89 simple_csr_authorizer_directory = @objdir@/simple_csr_authz
92 # Default (no cert exts requested)
94 # Use an issuer for user certs:
95 ca = PEM-FILE:@objdir@/user-issuer.pem
96 subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
97 ekus = 1.3.6.1.5.5.7.3.2
98 include_pkinit_san = true
100 hostbased_service = {
101 # Only for HTTP services
103 # Use an issuer for server certs:
104 ca = PEM-FILE:@objdir@/server-issuer.pem
105 include_dnsname_san = true
106 # Don't bother with a template
109 # Non-default certs (extensions requested)
111 # Use no templates -- get empty subject names,
114 # Use appropriate issuers.
116 ca = PEM-FILE:@objdir@/user-issuer.pem
119 ca = PEM-FILE:@objdir@/server-issuer.pem
122 ca = PEM-FILE:@objdir@/mixed-issuer.pem
129 allow_addresses = true
130 simple_csr_authorizer_directory = @objdir@/simple_csr_authz
133 # Default (no cert exts requested)
135 # Use an issuer for user certs:
136 ca = PEM-FILE:@objdir@/user-issuer.pem
137 subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
138 ekus = 1.3.6.1.5.5.7.3.2
139 include_pkinit_san = true
140 allow_extra_lifetime = true
141 max_cert_lifetime = 7d
142 force_cert_lifetime = 2d
145 # Use an issuer for user certs:
146 ca = PEM-FILE:@objdir@/user-issuer.pem
147 subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
148 ekus = 1.3.6.1.5.5.7.3.2
149 include_pkinit_san = true
150 allow_extra_lifetime = true
151 max_cert_lifetime = 7d
152 force_cert_lifetime = 2d
154 hostbased_service = {
155 # Only for HTTP services
157 # Use an issuer for server certs:
158 ca = PEM-FILE:@objdir@/server-issuer.pem
159 include_dnsname_san = true
160 # Don't bother with a template
163 # Non-default certs (extensions requested)
165 # Use no templates -- get empty subject names,
168 # Use appropriate issuers.
170 ca = PEM-FILE:@objdir@/user-issuer.pem
173 ca = PEM-FILE:@objdir@/server-issuer.pem
176 ca = PEM-FILE:@objdir@/mixed-issuer.pem
182 kdc = 0-/FILE:@objdir@/messages.log
183 bx509d = 0-/FILE:@objdir@/messages.log
184 default = 0-/FILE:@objdir@/messages.log