Inhaltsverzeichnis
Authenticationn against Active Directory
If you want to provide an application (e.g. laboratory wiki), which you wish to access using university accounts - and therefore save yourself the maintenance of a own account and password database - you can offer that using LDAP or Kerberos.
Authentication using LDAP
For this the following parameters have to be provided (depending on your application some parameters may be optional). „abc12345“ needs to be replaced with your account name:
| URL | ldaps://adldap.hs-regensburg.de/ |
| Server | adldap.hs-regensburg.de |
| Port | 636 |
| Base DN | dc=hs-regensburg,dc=de |
| Bind DN | abc12345@hs-regensburg.de |
| Search filter | samAccountName=abc12345 |
Troubleshooting
For test purposes you can enter the ldapsearch command on a Linux machine:
ldapsearch -H 'ldaps://adldap.hs-regensburg.de' -b 'DC=hs-regensburg,DC=de' -D 'abc12345@hs-regensburg.de' -W -z 0 -LLL -E pr=1000/noprompt samAccountName=abc12345
Depending on your system you need to enter the following into your /etc/openldap/ldap.conf:
TLS_REQCERT allow sasl_secprops maxssf=0
Note: The line „sasl_secprops maxssf=0“ has caused the following error on Ubuntu 20.04 when performing a domain join with realmd/sssd (realm join HS-REGENSBURG.DE -U <username>):
adcl: couldn't connect to hs-regensburg.de domain: Couldn't authenticate to active directory: SASL(-7): invalid parameter supplied: Unable to find a callback: 32775 ! Insufficient permissions to join the domain
Without abovementioned parameter a join was possible.
Authentication using Kerberos
In case your application does with the help of „mit-krb5“ respectively „heimdal“ support Kerberos (e.g. various Tomcat-applications), you need to provide the following in your /etc/krb5.conf:
[libdefaults] default_realm = HS-REGENSBURG.DE clockskew = 300 ticket_lifetime = 36000
