$OpenBSD: patch-doc_sample_config,v 1.4 2015/07/02 20:50:21 sthen Exp $

no freeradius-client in ports yet (also disabled in autoconf)
no seccomp, gssapi

--- doc/sample.config.orig	Wed Jul  1 20:41:01 2015
+++ doc/sample.config	Thu Jul  2 06:51:29 2015
@@ -1,7 +1,7 @@
 # User authentication method. Could be set multiple times and in 
 # that case all should succeed. To enable multiple methods use
 # multiple auth directives. Available options: certificate, 
-# plain, pam, radius, gssapi.
+# plain, pam.
 #
 # Note that authentication methods cannot be changed with reload.
 
@@ -18,45 +18,23 @@
 # "username:groupname1,groupname2:encoded-password"
 # One entry must be listed per line, and 'ocpasswd' should be used
 # to generate password entries.
-#
-# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name,override-interim-updates=false]:
-#  The radius option requires specifying freeradius-client configuration
-# file. If the groupconfig option is set, then config-per-user will be overriden,
-# and all configuration will be read from radius. The 'override-interim-updates' if set to
-# true will ignore Acct-Interim-Interval from the server and 'stats-report-time' will be considered.
-#
-# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
-#  The gssapi option allows to use authentication methods supported by GSSAPI,
-# such as Kerberos tickets with ocserv. It should be best used as an alternative
-# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
-# tickets and without tickets to login. The default value for require-local-user-map
-# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
-# to have been issued within the provided number of seconds. That option is used to
-# restrict logins even if the KDC provides long time TGT tickets.
 
 #auth = "pam"
 #auth = "pam[gid-min=1000]"
 auth = "plain[passwd=./sample.passwd]"
 #auth = "certificate"
-#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
 
 # Specify alternative authentication methods that are sufficient
 # for authentication. That is, if set, any of the methods enabled
 # will be sufficient to login.
 #enable-auth = "certificate"
-#enable-auth = "gssapi"
-#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
 
 # Accounting methods available:
 # pam: can only be combined with PAM authentication method, it provides
 #      a session opened using PAM.
 #
-# radius: can be combined with any authentication method, it provides
-#      radius accounting to available users (see also stats-report-time).
-#
 # Only one accounting method can be specified.
 #acct = "pam"
-#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
 
 # Use listen-host to limit to specific IPs or to the IPs of a provided 
 # hostname.
@@ -79,8 +57,8 @@ udp-port = 443
 
 # The user the worker processes will be run as. It should be
 # unique (no other services run as this user).
-run-as-user = nobody
-run-as-group = daemon
+run-as-user = _ocserv
+run-as-group = _ocserv
 
 # socket file used for IPC with occtl. You only need to set that,
 # if you use more than a single servers.
@@ -89,7 +67,7 @@ run-as-group = daemon
 # socket file used for server IPC (worker-main), will be appended with .PID
 # It must be accessible within the chroot environment (if any), so it is best
 # specified relatively to the chroot directory.
-socket-file = /var/run/ocserv-socket
+socket-file = ${LOCALSTATEDIR}/run/ocserv-socket
 
 # The default server directory. Does not require any devices present.
 #chroot-dir = /path/to/chroot
@@ -104,8 +82,8 @@ socket-file = /var/run/ocserv-socket
 #
 # There may be multiple server-cert and server-key directives,
 # but each key should correspond to the preceding certificate.
-server-cert = ../tests/server-cert.pem
-server-key = ../tests/server-key.pem
+server-cert = ${SYSCONFDIR}/ocserv/server-cert.pem
+server-key = ${SYSCONFDIR}/ocserv/server-key.pem
 
 # Diffie-Hellman parameters. Only needed if you require support
 # for the DHE ciphersuites (by default this server supports ECDHE).
@@ -131,18 +109,12 @@ server-key = ../tests/server-key.pem
 # The Certificate Authority that will be used to verify
 # client certificates (public keys) if certificate authentication
 # is set.
-ca-cert = ../tests/ca.pem
+ca-cert = ${SYSCONFDIR}/ocserv/ca.pem
 
 
 ### All configuration options below this line are reloaded on a SIGHUP.
 ### The options above, will remain unchanged.
 
-# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
-# system calls allowed to a worker process, in order to reduce damage from a
-# bug in the worker process. It is available on Linux systems at a performance cost.
-# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
-isolate-workers = true
-
 # A banner to be displayed on clients
 #banner = "Welcome"
 
@@ -165,8 +137,7 @@ max-same-clients = 2
 
 # Stats report time. The number of seconds after which each
 # worker process will report its usage statistics (number of
-# bytes transferred etc). This is useful when accounting like
-# radius is in use.
+# bytes transferred etc).
 #stats-report-time = 360
 
 # Keepalive in seconds
@@ -264,9 +235,8 @@ min-reauth-time = 300
 # Banning clients in ocserv works with a point system. IP addresses
 # that get a score over that configured number are banned for
 # min-reauth-time seconds. By default a wrong password attempt is 10 points,
-# a KKDCP POST is 1 point, and a connection is 1 point. Note that
-# due to difference processes being involved the count of points
-# will not be real-time precise.
+# and a connection is 1 point. Note that due to difference processes
+# being involved the count of points will not be real-time precise.
 #
 # Score banning cannot be reliably used when receiving proxied connections
 # locally from an HTTP server (i.e., when listen-clear-file is used).
@@ -280,7 +250,6 @@ ban-reset-time = 300
 # In case you'd like to change the default points.
 #ban-points-wrong-password = 10
 #ban-points-connection = 1
-#ban-points-kkdcp = 1
 
 # Cookie timeout (in seconds)
 # Once a client is authenticated he's provided a cookie with
@@ -342,7 +311,7 @@ rekey-method = ssl
 use-occtl = true
 
 # PID file. It can be overriden in the command line.
-pid-file = /var/run/ocserv.pid
+pid-file = ${LOCALSTATEDIR}/run/ocserv.pid
 
 # Set the protocol-defined priority (SO_PRIORITY) for packets to
 # be sent. That is a number from 0 to 6 with 0 being the lowest
@@ -370,7 +339,7 @@ predictable-ips = true
 default-domain = example.com
 
 # The pool of addresses that leases will be given from. If the leases
-# are given via Radius, or via the explicit-ip? per-user config option then 
+# are given via the explicit-ip? per-user config option then 
 # these network values should contain a network with at least a single
 # address that will remain under the full control of ocserv (that is
 # to be able to assign the local part of the tun device address).
@@ -483,20 +452,6 @@ no-route = 192.168.5.0/255.255.255.0
 # and '%{G}', if present will be replaced by the username and group name.
 #proxy-url = http://example.com/
 #proxy-url = http://example.com/%{U}/
-
-# This option allows you to specify a URL location where a client can
-# post using MS-KKDCP, and the message will be forwarded to the provided
-# KDC server. That is a translation URL between HTTP and Kerberos.
-# In MIT kerberos you'll need to add in realms:
-#   EXAMPLE.COM = {
-#     kdc = https://ocserv.example.com/KdcProxy
-#     http_anchors = FILE:/etc/ocserv-ca.pem
-#   }
-# This option is available if ocserv is compiled with GSSAPI support. 
-
-#kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT
-#kkdcp = /KdcProxy EXAMPLE.COM udp@127.0.0.1:88
-#kkdcp = /KdcProxy EXAMPLE.COM tcp@127.0.0.1:88
 
 #
 # The following options are for (experimental) AnyConnect client 
