$OpenBSD: patch-doc_sample_config,v 1.12 2016/04/26 12:11:08 sthen Exp $

no seccomp, gssapi

--- doc/sample.config.orig	Tue Apr 26 12:56:25 2016
+++ doc/sample.config	Tue Apr 26 12:56:25 2016
@@ -1,7 +1,7 @@
 # User authentication method. Could be set multiple times and in 
 # that case all should succeed. To enable multiple methods use
 # multiple auth directives. Available options: certificate, 
-# plain, pam, radius, gssapi.
+# plain, pam, radius.
 #
 # Note that authentication methods cannot be changed with reload.
 
@@ -26,15 +26,6 @@
 # file. If the groupconfig option is set, then config-per-user/group will be overriden,
 # and all configuration will be read from radius. The 'override-interim-updates' if set to
 # true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
-#
-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-#  The gssapi option allows to use authentication methods supported by GSSAPI,
-# such as Kerberos tickets with ocserv. It should be best used as an alternative
-# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
-# tickets and without tickets to login. The default value for require-local-user-map
-# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
-# to have been issued within the provided number of seconds. That option is used to
-# restrict logins even if the KDC provides long time TGT tickets.
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
@@ -47,8 +38,6 @@ auth = "plain[passwd=./sample.passwd]"
 # for authentication. That is, if set, any of the methods enabled
 # will be sufficient to login.
 #enable-auth = "certificate"
-#enable-auth = "gssapi"
-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
 
 # Accounting methods available:
 # radius: can be combined with any authentication method, it provides
@@ -83,8 +72,8 @@ udp-port = 443
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -93,7 +82,7 @@ run-as-group = daemon
 # socket file used for server IPC (worker-main), will be appended with .PID
 # It must be accessible within the chroot environment (if any), so it is best
 # specified relatively to the chroot directory.
-socket-file = /var/run/ocserv-socket
+socket-file = ${LOCALSTATEDIR}/run/ocserv-socket
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
@@ -108,8 +97,8 @@ socket-file = /var/run/ocserv-socket
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
-server-cert = ../tests/server-cert.pem
-server-key = ../tests/server-key.pem
+server-cert = ${SYSCONFDIR}/ocserv/server-cert.pem
+server-key = ${SYSCONFDIR}/ocserv/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -135,7 +124,7 @@ server-key = ../tests/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-ca-cert = ../tests/ca.pem
+ca-cert = ${SYSCONFDIR}/ocserv/ca.pem
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
@@ -147,16 +136,6 @@ ca-cert = ../tests/ca.pem
 ### failures during the reloading time.
 
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-# Note however, that process isolation is restricted to the specific libc versions
-# the isolation was tested at. If you get random failures on worker processes, try
-# disabling that option and report the failures you, along with system and debugging
-# information at: https://gitlab.com/ocserv/ocserv/issues
-isolate-workers = true
-
 # A banner to be displayed on clients
 #banner = "Welcome"
 
@@ -281,9 +260,8 @@ min-reauth-time = 300
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
-# due to difference processes being involved the count of points
-# will not be real-time precise.
+# and a connection is 1 point. Note that due to different processes
+# being involved the count of points will not be real-time precise.
 #
 # Score banning cannot be reliably used when receiving proxied connections
 # locally from an HTTP server (i.e., when listen-clear-file is used).
@@ -297,7 +275,6 @@ ban-reset-time = 300
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
 #ban-points-connection = 1
-#ban-points-kkdcp = 1
 
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
@@ -364,7 +341,7 @@ rekey-method = ssl
 use-occtl = true
 
 # PID file. It can be overriden in the command line.
-pid-file = /var/run/ocserv.pid
+pid-file = ${LOCALSTATEDIR}/run/ocserv.pid
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
@@ -477,6 +454,11 @@ no-route = 192.168.5.0/255.255.255.0
 # any other routes. In case of defaultroute, the no-routes are restricted.
 # All the routes applied by ocserv can be reverted using /etc/ocserv/ocserv-fw
 # --removeall. This option can be set globally or in the per-user configuration.
+#
+# OpenBSD package notes:
+# to use this with PF, you will need to supply your own ocserv-fw script,
+# probably the best approach would be to add via a table or an anchor.
+#
 #restrict-user-to-routes = true
 
 # This option implies restrict-user-to-routes set to true. If set, the
@@ -549,21 +531,6 @@ no-route = 192.168.5.0/255.255.255.0
 # and '%{G}', if present will be replaced by the username and group name.
 #proxy-url = http://example.com/
 #proxy-url = http://example.com/%{U}/
-
-# This option allows you to specify a URL location where a client can
-# post using MS-KKDCP, and the message will be forwarded to the provided
-# KDC server. That is a translation URL between HTTP and Kerberos.
-# In MIT kerberos you'll need to add in realms:
-#   EXAMPLE.COM = {
-#     kdc = https://ocserv.example.com/KdcProxy
-#     http_anchors = FILE:/etc/ocserv-ca.pem
-#   }
-# This option is available if ocserv is compiled with GSSAPI support. 
-
-#kkdcp = "SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT"
-#kkdcp = "/KdcProxy KERBEROS.REALM udp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@127.0.0.1:88"
-#kkdcp = "/KdcProxy KERBEROS.REALM tcp@[::1]:88"
 
 #
 # The following options are for (experimental) AnyConnect client 
