2 # Example configuration for ABFAB listening on TLS.
13 private_key_password = whatever
15 # Moonshot tends to distribute certs separate from keys
16 private_key_file = ${certdir}/server.key
17 certificate_file = ${certdir}/server.pem
18 ca_file = ${cadir}/ca.pem
19 dh_file = ${certdir}/dh
22 cipher_list = "DEFAULT"
30 require_client_cert = yes
34 psk_query = "%{psksql:select hex(key) from psk_keys where keyid = '%{TLS-PSK-Identity}'}"
37 virtual_server = abfab-idp
39 clients = radsec-abfab
42 clients radsec-abfab {
44 # Allow all clients, but require TLS.
45 # This client stanza will match other RP proxies from other
46 # realms established via the trustrouter. In general
47 # additional client stanzas are also required for local services.
54 # An example local service
57 # # You should either set gss_acceptor_host_name below
58 # # or set up policy to confirm that a client claims
59 # # the right acceptor hostname when using ABFAB. If
60 # # set, the RADIUS server will confirm that all
61 # # requests have this value for the acceptor host name
62 # gss_acceptor_host_name = "server.example.com"
63 # # If set, this acceptor realm name will be included.
64 # Foreign realms will typically reject a request if this is not
66 # gss_acceptor_realm_name = "example.com"
67 # # Additionally, trust_router_coi can be set; if set
68 # # it will override the default_community in the realm
70 # # trust_router_coi = "community1.example.net"
71 # # In production depployments it is important to set
72 # # up certificate verification so that even if
73 # # clients spoof IP addresses, one client cannot
74 # # impersonate another.