Manage your Active Directory from Linux with adtool

Jack Wallen
Aug 2, 2009
Updated • Nov 30, 2012
Network
|
4

Active Directory is one of those Microsoft tools that so many have no choice but to use. Although I much prefer LDAP because it is so much easier to set up and manage. But for much of the enterprise world Active Directory is the tool used. Does this mean you are locked into managing Active Directory from a Windows machine? No. If you are a creature of the command line you can manage your AD from the Linux command line. It's not that difficult and, in the end, will give you many more options to keep your AD server managed.

Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear.

Enable SLDAP

Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details):

  1. Create an Active Directory domain controller certificate request.
  2. Create a Certification Authority.
  3. Sign the certificate request by the Certification Authority.
  4. Export the root certificate Certification Authority.
  5. Import the root certificate Certification Authority onto the Domain Controller.
  6. Import the LDAP Server certificate onto the Domain Controller.
  7. Set up the UMRA (LDAP Client) computer.
  8. Verify Secure LDAPS using SSL.

Installing adtool

Fortunately adtool will be found in your distributions' repositories. So all you have to do is follow these steps:

  1. Fire up Synaptic (or whichever Add/Remove Software utility you use).
  2. Do a search for "adtool" (no quotes).
  3. Mark the results for installation.
  4. Click Apply to install.
  5. Close Synaptic.

Configuring adtool

This is a bit of configuration you need to handle before you can use adtool on your AD server. First create the file (if it doesn't exist) /etc/adtool.cfg and add the following contents:

uri ldaps://YOUR.DOMAIN.HERE
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $PASSWORD
searchbase dc=domain,dc=tld

Where YOUR.DOMAIN.HERE is the actual address to your Active Directory server.

Where PASSWORD is the password for the AD user that has proper permissions to manage the AD server.

You will also need to make sure the following is in your /etc/ldap/ldap.conf file:

BASE    dc=YOUR,dc=DOMAIN,dc=HERE
URI     ldaps://YOUR.DOMAIN.HERE
TLS_REQCERT allow

Without the above configuration you will not be able to accept the SSL certificates from the server.

Basic usage

The basic usage of the adtool command is simple. Of course you will have to understand Active Directory in order to really understand the usage of this tool. Below I will give you samples of commands to handle the basic tasks for AD. Any information in ALL CAPS would be altered to fit your needs.

Create a new organizational unit:

adtool oucreate ORGANIZATION NAME ou=user,dc=DOMAIN,dc=COM

Add a user:

adtool useradd USER ou=ORGANIZATION ou=user,cd=DOMAIN,dc=COM

Set a user password:

adtool setpass USER PASSWORD

Unlock a user:

adtool unlock USER

Create a group

adtool groupcreate GROUP ou=user,cd=DOMAIN,dc=COM

Add a user to a group:

adtool groupadd allusers USER

Add an email address for the user:

adtool attributereplace USER mail EMAIL@ADDRESS

Final thoughts

We've only really scratched the surface of this powerful tool. But from this you should be able to see how easy adtool can be as well as how helpful it is.

Advertisement

Previous Post: «
Next Post: «

Comments

  1. SlowGhost said on June 18, 2011 at 4:11 pm
    Reply

    Yeah, I’m in the same boat as JJ. I tried downloading the source and installing, but it hangs saying I’ve got no ldap libs, but I do. I found a place to download the source, but no homepage or documentation and little in the forums. Would be great to stay on my Linux box full time, but as I’m in charge of a windows enterprise network, I need a tool that works.

  2. JJ said on May 11, 2011 at 6:21 pm
    Reply

    ADTool is not in Fedora’s default repos…

  3. MJ said on March 26, 2010 at 6:27 pm
    Reply

    There are some new tools available to connect and manage Active Directory from Linux or remotely. One such tool which I am using is build by Ldapsoft (http://www.ldapsoft.com).

    http://www.ldapsoft.com/adreports.html
    http://www.ldapsoft.com/ldapplusad.html

  4. Thierry Danard said on October 24, 2009 at 1:28 am
    Reply

    shameless plug: I have made available a web-based solution called Corendal Directory to manage Active Directory accounts, contacts and groups. I mention it here because it runs on any platform, including Linux. It uses Java, MySQL and Apache Tomcat . It’s a very mature product, battle-tested in the real world, completely free and open source (GPL license). I got 3000 downloads since December 2008. Several administrators indicated they use Corendal Directory to manage active directory remotely, when they don’t have access to a Windows console.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.