====== Authenticationn against Active Directory ======
If you want to provide an application (e.g. laboratory wiki), which you wish to access using university accounts - and therefore save yourself the maintenance of a own account and password database - you can offer that using LDAP or Kerberos.
{{INLINETOC}}
===== Authentication using LDAP =====

For this the following parameters have to be provided (depending on your application some parameters may be optional). "abc12345" needs to be replaced with your account name:

| URL | ''[[ldaps://adldap.hs-regensburg.de/]]'' |
| Server | ''adldap.hs-regensburg.de'' |
| Port | ''636'' |
| Base DN | ''dc=hs-regensburg,dc=de'' |
| Bind DN | ''abc12345@hs-regensburg.de'' |
| Search filter | ''samAccountName=abc12345'' |

== Troubleshooting ==

For test purposes you can enter the ''ldapsearch'' command on a Linux machine:

<code>
ldapsearch -H 'ldaps://adldap.hs-regensburg.de' -b 'DC=hs-regensburg,DC=de' -D 'abc12345@hs-regensburg.de' -W -z 0 -LLL -E pr=1000/noprompt samAccountName=abc12345
</code>

Depending on your system you need to enter the following into your ''/etc/openldap/ldap.conf'':
<code>
TLS_REQCERT allow
sasl_secprops maxssf=0
</code>

Note: The line "sasl_secprops maxssf=0" has caused the following error on Ubuntu 20.04 when performing a domain join with realmd/sssd (realm join HS-REGENSBURG.DE -U <username>):
<code>
adcl: couldn't connect to hs-regensburg.de domain: Couldn't authenticate to active directory: SASL(-7): invalid parameter supplied: Unable to find a callback: 32775
! Insufficient permissions to join the domain
</code>
Without abovementioned parameter a join was possible.

===== Authentication using Kerberos =====

In case your application does with the help of "mit-krb5" respectively "heimdal" support Kerberos (e.g. various Tomcat-applications), you need to provide the following in your ''/etc/krb5.conf'':
<code ini>
[libdefaults]
default_realm = HS-REGENSBURG.DE
clockskew = 300
ticket_lifetime = 36000
</code>