If you want to provide an application (e.g. laboratory wiki), which you wish to access using university accounts - and therefore save yourself the maintenance of a own account and password database - you can offer that using LDAP or Kerberos.
For this the following parameters have to be provided (depending on your application some parameters may be optional). „abc12345“ needs to be replaced with your account name:
URL | ldaps://adldap.hs-regensburg.de/ |
Server | adldap.hs-regensburg.de |
Port | 636 |
Base DN | dc=hs-regensburg,dc=de |
Bind DN | abc12345@hs-regensburg.de |
Search filter | samAccountName=abc12345 |
For test purposes you can enter the ldapsearch
command on a Linux machine:
ldapsearch -H 'ldaps://adldap.hs-regensburg.de' -b 'DC=hs-regensburg,DC=de' -D 'abc12345@hs-regensburg.de' -W -z 0 -LLL -E pr=1000/noprompt samAccountName=abc12345
Depending on your system you need to enter the following into your /etc/openldap/ldap.conf
:
TLS_REQCERT allow sasl_secprops maxssf=0
Note: The line „sasl_secprops maxssf=0“ has caused the following error on Ubuntu 20.04 when performing a domain join with realmd/sssd (realm join HS-REGENSBURG.DE -U <username>):
adcl: couldn't connect to hs-regensburg.de domain: Couldn't authenticate to active directory: SASL(-7): invalid parameter supplied: Unable to find a callback: 32775 ! Insufficient permissions to join the domain
Without abovementioned parameter a join was possible.
In case your application does with the help of „mit-krb5“ respectively „heimdal“ support Kerberos (e.g. various Tomcat-applications), you need to provide the following in your /etc/krb5.conf
:
[libdefaults] default_realm = HS-REGENSBURG.DE clockskew = 300 ticket_lifetime = 36000