Active Directory is one of those Microsoft tools that so many have no choice but to use. Although I much prefer LDAP because it is so much easier to set up and manage. But for much of the enterprise world Active Directory is the tool used. Does this mean you are locked into managing Active Directory from a Windows machine? No. If you are a creature of the command line you can manage your AD from the Linux command line. It’s not that difficult and, in the end, will give you many more options to keep your AD server managed.
Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear.
Enable SLDAP
Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details):
- Create an Active Directory domain controller certificate request.
- Create a Certification Authority.
- Sign the certificate request by the Certification Authority.
- Export the root certificate Certification Authority.
- Import the root certificate Certification Authority onto the Domain Controller.
- Import the LDAP Server certificate onto the Domain Controller.
- Set up the UMRA (LDAP Client) computer.
- Verify Secure LDAPS using SSL.
Installing adtool
Fortunately adtool will be found in your distributions’ repositories. So all you have to do is follow these steps:
- Fire up Synaptic (or whichever Add/Remove Software utility you use).
- Do a search for “adtool” (no quotes).
- Mark the results for installation.
- Click Apply to install.
- Close Synaptic.
Configuring adtool
This is a bit of configuration you need to handle before you can use adtool on your AD server. First create the file (if it doesn’t exist) /etc/adtool.cfg and add the following contents:
uri ldaps://YOUR.DOMAIN.HERE
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $PASSWORD
searchbase dc=domain,dc=tld
Where YOUR.DOMAIN.HERE is the actual address to your Active Directory server.
Where PASSWORD is the password for the AD user that has proper permissions to manage the AD server.
You will also need to make sure the following is in your /etc/ldap/ldap.conf file:
BASE dc=YOUR,dc=DOMAIN,dc=HERE
URI ldaps://YOUR.DOMAIN.HERE
TLS_REQCERT allow
Without the above configuration you will not be able to accept the SSL certificates from the server.
Basic usage
The basic usage of the adtool command is simple. Of course you will have to understand Active Directory in order to really understand the usage of this tool. Below I will give you samples of commands to handle the basic tasks for AD. Any information in ALL CAPS would be altered to fit your needs.
Create a new organizational unit:
adtool oucreate ORGANIZATION NAME ou=user,dc=DOMAIN,dc=COM
Add a user:
adtool useradd USER ou=ORGANIZATION ou=user,cd=DOMAIN,dc=COM
Set a user password:
adtool setpass USER PASSWORD
Unlock a user:
adtool unlock USER
Create a group
adtool groupcreate GROUP ou=user,cd=DOMAIN,dc=COM
Add a user to a group:
adtool groupadd allusers USER
Add an email address for the user:
adtool attributereplace USER mail EMAIL@ADDRESS
Final thoughts
We’ve only really scratched the surface of this powerful tool. But from this you should be able to see how easy adtool can be as well as how helpful it is.
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook or Twitter.Related Articles:
Access and manage your LDAP data with LumaGet To Know Linux: The /etc/init.d Directory
Manage your LDAP data with phpLDAPadmin
Set up an LDAP server on Fedora
Back up your Apache web directory and database with this simple script
shameless plug: I have made available a web-based solution called Corendal Directory to manage Active Directory accounts, contacts and groups. I mention it here because it runs on any platform, including Linux. It uses Java, MySQL and Apache Tomcat . It’s a very mature product, battle-tested in the real world, completely free and open source (GPL license). I got 3000 downloads since December 2008. Several administrators indicated they use Corendal Directory to manage active directory remotely, when they don’t have access to a Windows console.
There are some new tools available to connect and manage Active Directory from Linux or remotely. One such tool which I am using is build by Ldapsoft (http://www.ldapsoft.com).
http://www.ldapsoft.com/adreports.html
http://www.ldapsoft.com/ldapplusad.html
ADTool is not in Fedora’s default repos…
Yeah, I’m in the same boat as JJ. I tried downloading the source and installing, but it hangs saying I’ve got no ldap libs, but I do. I found a place to download the source, but no homepage or documentation and little in the forums. Would be great to stay on my Linux box full time, but as I’m in charge of a windows enterprise network, I need a tool that works.