# -*- text -*-
#
#  $Id: 29a92b9c099a8238fbff0dec60bef00cfb89010a $

#
#  Kerberos.  See doc/modules/rlm_krb5 for minimal docs.
#
krb5 {
	keytab = /path/to/keytab
	service_principal = name_of_principle

	#  Pool of krb5 contexts, this allows us to make the module multithreaded
	#  and to avoid expensive operations like resolving and opening keytabs
	#  on every request.  It may also allow TCP connections to the KDC to be
	#  cached if that is supported by the version of libkrb5 used.
	#
	#  The context pool is only used if the underlying libkrb5 reported
	#  that it was thread safe at compile time.
	#
	pool {
		# Number of connections to start
		start = ${thread[pool].start_servers}

		# Minimum number of connections to keep open
		min = ${thread[pool].min_spare_servers}

		# Maximum number of connections
		#
		# If these connections are all in use and a new one
		# is requested, the request will NOT get a connection.
		#
		# NOTE: This should be greater than or equal to "min" above.
		max = ${thread[pool].max_servers}

		# Spare connections to be left idle
		#
		# NOTE: Idle connections WILL be closed if "idle_timeout"
		# is set.  This should be less than or equal to "max" above.
		spare = ${thread[pool].max_spare_servers}

		# Number of uses before the connection is closed
		#
		# NOTE: A setting of 0 means infinite (no limit).
		uses = 0

		# The lifetime (in seconds) of the connection
		#
		# NOTE: A setting of 0 means infinite (no limit).
		lifetime = 0

		# The idle timeout (in seconds).  A connection which is
		# unused for this length of time will be closed.
		#
		# NOTE: A setting of 0 means infinite (no timeout).
		idle_timeout = 0

		# NOTE: All configuration settings are enforced.  If a
		# connection is closed because of "idle_timeout",
		# "uses", or "lifetime", then the total number of
		# connections MAY fall below "min".  When that
		# happens, it will open a new connection.  It will
		# also log a WARNING message.
		#
		# The solution is to either lower the "min" connections,
		# or increase lifetime/idle_timeout.
	}
}
