From 2ce32a3ac74acb26a430c11a2df8044cab735bdb Mon Sep 17 00:00:00 2001
From: Andrew Ruthven <andrew@etc.gen.nz>
Date: Sun, 14 Apr 2024 23:12:40 +1200
Subject: [PATCH] Add info on how to use i_use_mode_kerberos

---
 config/example-config.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/config/example-config.php b/config/example-config.php
index 40282292..7b080d59 100644
--- a/config/example-config.php
+++ b/config/example-config.php
@@ -827,6 +827,25 @@ $c->admin_email = 'calendar-admin@example.com';
 //
 // include('drivers_ldap.php');
 
+// /* Kerberus configuration
+//  *
+//  * You may want your webserver to perform Kerberos SSO, in which case
+//  * REMOTE_USER should be trusted. If that is the case, then set
+//  * 'i_use_mode_kerberos' there are two options, neither are the default:
+//  *
+//  * * 'i_know_what_i_am_doing' means to trust REMOTE_USER, do not try and
+//  *   authenticate to LDAP
+//  * * 'allow_fallback_to_ldap_auth' means to trust REMOTE_USER, but if
+//  *   it isn't present, try and authenticate to LDAP. This allows using
+//  *   Kerberos for SSO, but still allows non-Kerberos supporting clients
+//  *   to still use username/password login.
+//  *
+//  * If either are set, then we still get details from LDAP for the user.
+//  *
+//  * Either include this in the above authenticate_hook config setting,
+//  * or use: */
+//
+//  $c->authenticate_hook['config']['i_use_mode_kerberos'] = '';
 
 /********************************/
 /****** PAM and IMAP hooks ******/