[authentication]
# The authentiction backend specifies how the user is authenticated,
# in case of 'pam' simplepam.authenticate is used to authenticate against
# sshd PAM service. In case of 'kerberos' SPNEGO is used to authenticate
# user against eg. Active Directory or Samba4.

backends = pam
;backends = kerberos
;backends = ldap
;backends = kerberos ldap
;backends = kerberos pam

[accounts]
# The accounts backend specifies how the user's given name, surname and e-mail
# address are looked up. In case of 'posix' basically 'getent passwd' is performed,
# in case of 'ldap' a search is performed on LDAP server specified in /etc/ldap/ldap.conf
# with Kerberos credential cache initialized at path specified by 'ldap gssapi credential cache'

backend = posix
;backend = ldap
ldap gssapi credential cache = /run/certidude/krb5cc

[authorization]
# The authorization backend specifies how the users are authorized.
# In case of 'posix' simply group membership is asserted,
# in case of 'ldap' search filter with username as placeholder is applied.

backend = posix
posix user group = users
posix admin group = sudo

;backend = ldap
ldap computer filter = (&(objectclass=user)(objectclass=computer)(samaccountname=%s))
ldap user filter = (&(objectclass=user)(objectcategory=person)(samaccountname=%s))
ldap admin filter = (&(memberOf=cn=Domain Admins,cn=Users,{% if base %}{{ base }}{% else %}dc=example,dc=com{% endif %})(samaccountname=%s))

# Users are allowed to log in from user subnets
user subnets = 0.0.0.0/0

# Authority administrators are allowed to sign and revoke certificates from these subnets
admin subnets = 0.0.0.0/0

# Certificate signing requests are allowed to be submitted from these subnets
request subnets = 0.0.0.0/0

# Certificates are automatically signed for these subnets
autosign subnets = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

[logging]
backend = sql
database = sqlite://{{ directory }}/db.sqlite

[tagging]
backend = sql
database = sqlite://{{ directory }}/db.sqlite

[leases]
backend = sql
schema = strongswan
database = sqlite://{{ directory }}/db.sqlite

[signature]
certificate lifetime = {{ certificate_lifetime }}
revocation list lifetime = {{ revocation_list_lifetime }}
certificate url = {{ certificate_url }}
revoked url = {{ revoked_url }}

[push]
event source = {{ push_server }}/ev/%s
long poll = {{ push_server }}/lp/%s
publish = {{ push_server }}/pub?id=%s

[authority]
private key path = {{ ca_key }}
certificate path = {{ ca_crt }}

requests dir = {{ directory }}/requests/
signed dir = {{ directory }}/signed/
revoked dir = {{ directory }}/revoked/
expired dir = {{ directory }}/expired/
outbox = {{ outbox }}