no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


en:public:netz:auth [24.03.2022 01:37] (current) – created pit37126
Line 1: Line 1:
 +====== Authenticationn against Active Directory ======
 +If you want to provide an application (e.g. laboratory wiki), which you wish to access using university accounts - and therefore save yourself the maintenance of a own account and password database - you can offer that using LDAP or Kerberos.
 +{{INLINETOC}}
 +===== Authentication using LDAP =====
  
 +For this the following parameters have to be provided (depending on your application some parameters may be optional). "abc12345" needs to be replaced with your account name:
 +
 +| URL | ''[[ldaps://adldap.hs-regensburg.de/]]'' |
 +| Server | ''adldap.hs-regensburg.de'' |
 +| Port | ''636'' |
 +| Base DN | ''dc=hs-regensburg,dc=de'' |
 +| Bind DN | ''abc12345@hs-regensburg.de'' |
 +| Search filter | ''samAccountName=abc12345'' |
 +
 +== Troubleshooting ==
 +
 +For test purposes you can enter the ''ldapsearch'' command on a Linux machine:
 +
 +<code>
 +ldapsearch -H 'ldaps://adldap.hs-regensburg.de' -b 'DC=hs-regensburg,DC=de' -D 'abc12345@hs-regensburg.de' -W -z 0 -LLL -E pr=1000/noprompt samAccountName=abc12345
 +</code>
 +
 +Depending on your system you need to enter the following into your ''/etc/openldap/ldap.conf'':
 +<code>
 +TLS_REQCERT allow
 +sasl_secprops maxssf=0
 +</code>
 +
 +Note: The line "sasl_secprops maxssf=0" has caused the following error on Ubuntu 20.04 when performing a domain join with realmd/sssd (realm join HS-REGENSBURG.DE -U <username>):
 +<code>
 +adcl: couldn't connect to hs-regensburg.de domain: Couldn't authenticate to active directory: SASL(-7): invalid parameter supplied: Unable to find a callback: 32775
 +! Insufficient permissions to join the domain
 +</code>
 +Without abovementioned parameter a join was possible.
 +
 +===== Authentication using Kerberos =====
 +
 +In case your application does with the help of "mit-krb5" respectively "heimdal" support Kerberos (e.g. various Tomcat-applications), you need to provide the following in your ''/etc/krb5.conf'':
 +<code ini>
 +[libdefaults]
 +default_realm = HS-REGENSBURG.DE
 +clockskew = 300
 +ticket_lifetime = 36000
 +</code>
Print/export
Languages