2 # Example configuration for ABFAB listening on TLS.
13 private_key_password = whatever
15 # Moonshot tends to distribute certs separate from keys
16 private_key_file = ${certdir}/server.key
17 certificate_file = ${certdir}/server.pem
18 ca_file = ${cadir}/ca.pem
19 dh_file = ${certdir}/dh
22 cipher_list = "DEFAULT"
28 # persist_dir = ${logdir}/abfab-tls
31 require_client_cert = yes
35 psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
38 virtual_server = abfab-idp
40 clients = radsec-abfab
43 clients radsec-abfab {
45 # Allow all clients, but require TLS.
46 # This client stanza will match other RP proxies from other
47 # realms established via the trustrouter. In general
48 # additional client stanzas are also required for local services.
55 # An example local service
58 # # You should either set gss_acceptor_host_name below
59 # # or set up policy to confirm that a client claims
60 # # the right acceptor hostname when using ABFAB. If
61 # # set, the RADIUS server will confirm that all
62 # # requests have this value for the acceptor host name
63 # gss_acceptor_host_name = "server.example.com"
64 # # If set, this acceptor realm name will be included.
65 # Foreign realms will typically reject a request if this is not
67 # gss_acceptor_realm_name = "example.com"
68 # # Additionally, trust_router_coi can be set; if set
69 # # it will override the default_community in the realm
71 # # trust_router_coi = "community1.example.net"
72 # # In production depployments it is important to set
73 # # up certificate verification so that even if
74 # # clients spoof IP addresses, one client cannot
75 # # impersonate another.