# -*- text -*-
#
#  $Id: d17b8b8fb8b442869e4aff143d345168875c55c8 $

#
#  Kerberos.  See doc/rlm_krb5 for minimal docs.
#
krb5 {
	keytab = /path/to/keytab
	service_principal = name_of_principle

	#  Pool of krb5 contexts, this allows us to make the module multithreaded
	#  and to avoid expensive operations like resolving and opening keytabs
	#  on every request.  It may also allow TCP connections to the KDC to be
	#  cached if that is supported by the version of libkrb5 used.
	#
	#  The context pool is only used if the underlying libkrb5 reported
	#  that it was thread safe at compile time.
	pool {
		# Number of contexts to create
		start = 10

		# Minimum number of contexts to keep available
		min = 4

		# Maximum number of contexts
		#
		# If these contexts are all in use and a new one
		# is requested, the request will NOT get a connection.
		max = 10

		# Spare contexts to be left idle
		#
		# NOTE: Idle contexts WILL be closed if "idle_timeout"
		# is set.
		spare = 3

		# Number of uses before the context is freed
		# 0 means "infinite"
		uses = 0

		# The lifetime (in seconds) of the context
		lifetime = 0

		# idle timeout (in seconds).  A context which is
		# unused for this length of time will be freed.
		idle_timeout = 60

		# NOTE: All configuration settings are enforced.  If a
		# context is closed because of "idle_timeout",
		# "uses", or "lifetime", then the total number of
		# contexts MAY fall below "min".  When that
		# happens, it will create a new context.  It will
		# also log a WARNING message.
		#
		# The solution is to either lower the "min" contexts,
		# or increase lifetime/idle_timeout.
	}
}
