diff --git a/doc/sample.config b/doc/sample.config index 1893de3c..5b549902 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -1,21 +1,20 @@ -# User authentication method. Could be set multiple times and in -# that case all should succeed. To enable multiple methods use -# multiple auth directives. Available options: certificate, -# plain, pam, radius, gssapi. Note that authentication methods -# utilizing passwords cannot be combined (e.g., the plain, pam -# or radius methods). -# -# Note that authentication methods cannot be changed with reload. +### The following directives do not change with server reload. + +# User authentication method. To require multiple methods to be +# used for the user to login, add multiple auth directives. +# Available options: certificate, plain, pam, radius, gssapi. +# Note that authentication methods utilizing passwords cannot be +# combined (e.g., the plain, pam or radius methods). # certificate: # This indicates that all connecting users must present a certificate. -# The username and user group will be then extracted from it (see +# The username and user group will be then extracted from it (see # cert-user-oid and cert-group-oid). The certificate to be accepted # it must be signed by the CA certificate as specified in 'ca-cert' and # it must not be listed in the CRL, as specified by the 'crl' option. # # pam[gid-min=1000]: -# This enabled PAM authentication of the user. The gid-min option is used +# This enabled PAM authentication of the user. The gid-min option is used # by auto-select-group option, in order to select the minimum valid group ID. # # plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp] @@ -53,7 +52,7 @@ auth = "plain[passwd=./sample.passwd]" # Specify alternative authentication methods that are sufficient # for authentication. That is, if set, any of the methods enabled -# will be sufficient to login. +# will be sufficient to login, irrespective of the main 'auth' entries. #enable-auth = "certificate" #enable-auth = "gssapi" #enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]" @@ -70,7 +69,7 @@ auth = "plain[passwd=./sample.passwd]" # Only one accounting method can be specified. #acct = "radius[config=/etc/radiusclient/radiusclient.conf]" -# Use listen-host to limit to specific IPs or to the IPs of a provided +# Use listen-host to limit to specific IPs or to the IPs of a provided # hostname. #listen-host = [IP|HOSTNAME]