Inhaltsverzeichnis

Authenticationn against Active Directory

If you want to provide an application (e.g. laboratory wiki), which you wish to access using university accounts - and therefore save yourself the maintenance of a own account and password database - you can offer that using LDAP or Kerberos.

Authentication using LDAP

For this the following parameters have to be provided (depending on your application some parameters may be optional). “abc12345” needs to be replaced with your account name:

URL ldaps://adldap.hs-regensburg.de/
Server adldap.hs-regensburg.de
Port 636
Base DN dc=hs-regensburg,dc=de
Bind DN abc12345@hs-regensburg.de
Search filter samAccountName=abc12345
Troubleshooting

For test purposes you can enter the ldapsearch command on a Linux machine:

ldapsearch -H 'ldaps://adldap.hs-regensburg.de' -b 'DC=hs-regensburg,DC=de' -D 'abc12345@hs-regensburg.de' -W -z 0 -LLL -E pr=1000/noprompt samAccountName=abc12345

Depending on your system you need to enter the following into your /etc/openldap/ldap.conf:

TLS_REQCERT allow
sasl_secprops maxssf=0

Note: The line “sasl_secprops maxssf=0” has caused the following error on Ubuntu 20.04 when performing a domain join with realmd/sssd (realm join HS-REGENSBURG.DE -U <username>):

adcl: couldn't connect to hs-regensburg.de domain: Couldn't authenticate to active directory: SASL(-7): invalid parameter supplied: Unable to find a callback: 32775
! Insufficient permissions to join the domain

Without abovementioned parameter a join was possible.

Authentication using Kerberos

In case your application does with the help of “mit-krb5” respectively “heimdal” support Kerberos (e.g. various Tomcat-applications), you need to provide the following in your /etc/krb5.conf:

[libdefaults]
default_realm = HS-REGENSBURG.DE
clockskew = 300
ticket_lifetime = 36000