+++ /dev/null
-[libdefaults]
- default_realm = TEST.H5L.SE
- no-addresses = TRUE
- allow_weak_crypto = TRUE
- rdns = false
- fcache_strict_checking = false
- name_canon_rules = as-is:realm=TEST.H5L.SE
-
-[appdefaults]
- pkinit_anchors = FILE:@objdir@/pkinit-anchor.pem
- pkinit_pool = FILE:@objdir@/pkinit-anchor.pem
-
-[realms]
- TEST.H5L.SE = {
- kdc = localhost:@port@
- pkinit_win2k = @w2k@
- }
-
-[kdc]
- check-ticket-addresses = no
- warn_ticket_addresses = yes
- num-kdc-processes = 1
- strict-nametypes = true
- enable-pkinit = true
- pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
- pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
- pkinit_mappings_file = @srcdir@/pki-mapping
-
- # Locate kdc plugins for testing
- plugin_dir = @objdir@/../../kdc/.libs
-
- # Configure kdc plugins for testing
- simple_csr_authorizer_directory = @objdir@/simple_csr_authz
-
- enable-pkinit = true
- pkinit_identity = PEM-FILE:@objdir@/user-issuer.pem
- pkinit_anchors = PEM-FILE:@objdir@/pkinit-anchor.pem
- pkinit_mappings_file = @srcdir@/pki-mapping
- pkinit_max_life_from_cert = 5d
-
- database = {
- dbname = @objdir@/current-db
- realm = TEST.H5L.SE
- mkey_file = @objdir@/mkey.file
- log_file = @objdir@/log.current-db.log
- }
-
- negotiate_token_validator = {
- keytab = FILE:@objdir@/kt
- }
-
- realms = {
- TEST.H5L.SE = {
- kx509 = {
- user = {
- include_pkinit_san = true
- subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
- ekus = 1.3.6.1.5.5.7.3.2
- ca = PEM-FILE:@objdir@/user-issuer.pem
- }
- hostbased_service = {
- HTTP = {
- include_dnsname_san = true
- ekus = 1.3.6.1.5.5.7.3.1
- ca = PEM-FILE:@objdir@/server-issuer.pem
- }
- }
- client = {
- ekus = 1.3.6.1.5.5.7.3.2
- ca = PEM-FILE:@objdir@/user-issuer.pem
- }
- server = {
- ekus = 1.3.6.1.5.5.7.3.1
- ca = PEM-FILE:@objdir@/server-issuer.pem
- }
- mixed = {
- ekus = 1.3.6.1.5.5.7.3.1
- ekus = 1.3.6.1.5.5.7.3.2
- ca = PEM-FILE:@objdir@/mixed-issuer.pem
- }
- }
- }
- }
-
-[hdb]
- db-dir = @objdir@
-
-[bx509]
- simple_csr_authorizer_directory = @objdir@/simple_csr_authz
- realms = {
- TEST.H5L.SE = {
- # Default (no cert exts requested)
- user = {
- # Use an issuer for user certs:
- ca = PEM-FILE:@objdir@/user-issuer.pem
- subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
- ekus = 1.3.6.1.5.5.7.3.2
- include_pkinit_san = true
- }
- hostbased_service = {
- # Only for HTTP services
- HTTP = {
- # Use an issuer for server certs:
- ca = PEM-FILE:@objdir@/server-issuer.pem
- include_dnsname_san = true
- # Don't bother with a template
- }
- }
- # Non-default certs (extensions requested)
- #
- # Use no templates -- get empty subject names,
- # use SANs.
- #
- # Use appropriate issuers.
- client = {
- ca = PEM-FILE:@objdir@/user-issuer.pem
- }
- server = {
- ca = PEM-FILE:@objdir@/server-issuer.pem
- }
- mixed = {
- ca = PEM-FILE:@objdir@/mixed-issuer.pem
- }
- }
- }
-
-[get-tgt]
- no_addresses = true
- allow_addresses = true
- simple_csr_authorizer_directory = @objdir@/simple_csr_authz
- realms = {
- TEST.H5L.SE = {
- # Default (no cert exts requested)
- client = {
- # Use an issuer for user certs:
- ca = PEM-FILE:@objdir@/user-issuer.pem
- subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
- ekus = 1.3.6.1.5.5.7.3.2
- include_pkinit_san = true
- allow_extra_lifetime = true
- max_cert_lifetime = 7d
- force_cert_lifetime = 2d
- }
- user = {
- # Use an issuer for user certs:
- ca = PEM-FILE:@objdir@/user-issuer.pem
- subject_name = CN=${principal-name-without-realm},DC=test,DC=h5l,DC=se
- ekus = 1.3.6.1.5.5.7.3.2
- include_pkinit_san = true
- allow_extra_lifetime = true
- max_cert_lifetime = 7d
- force_cert_lifetime = 2d
- }
- hostbased_service = {
- # Only for HTTP services
- HTTP = {
- # Use an issuer for server certs:
- ca = PEM-FILE:@objdir@/server-issuer.pem
- include_dnsname_san = true
- # Don't bother with a template
- }
- }
- # Non-default certs (extensions requested)
- #
- # Use no templates -- get empty subject names,
- # use SANs.
- #
- # Use appropriate issuers.
- client = {
- ca = PEM-FILE:@objdir@/user-issuer.pem
- }
- server = {
- ca = PEM-FILE:@objdir@/server-issuer.pem
- }
- mixed = {
- ca = PEM-FILE:@objdir@/mixed-issuer.pem
- }
- }
- }
-
-[logging]
- kdc = 0-/FILE:@objdir@/messages.log
- bx509d = 0-/FILE:@objdir@/messages.log
- default = 0-/FILE:@objdir@/messages.log
-
-[domain_realm]
- . = TEST.H5L.SE