rlm_krb5

Synopsis

The krb5 module implements support for Kerberos authentication.

Processing Sections

authenticate

When listed in the authenticate section, the krb5 module authenticates to the Kerberos DC, using the User-Name and User-Password from the request.

In order to use Kerberos authentication, the administrator must manually set control:Auth-Type := krb5.

Return codes: fail The module was unable to connect to the Kerberos DC.
: invalid The request does not contain a User-Name or a User-Password attribute.
: reject The user’s password is incorrect.
: userlock The user’s account is locked.
: notfound The user’s account was not found.
: ok The user was successfully authenticated.

Expansions

None.

Directives

keytab

Syntax: keytab = filename
Default: none
Description: The full path to the Kerberos Keytab file.

service_principal

Syntax: service_principal = string
Default: none
Description: The name of the service principle. Typically the host name of the Kerberos server.

pool

Syntax: pool { … }
Description: A sub-section that manages connections to the Kerberos DC. See the pool documentation for more information.