Manage your Active Directory from Linux with adtool

Jack Wallen — Sun, 02 Aug 2009 14:30:28 +0000

Active Directory is one of those Microsoft tools that so many have no choice but to use. Although I much prefer LDAP because it is so much easier to set up and manage. But for much of the enterprise world Active Directory is the tool used. Does this mean you are locked into managing Active Directory from a Windows machine? No. If you are a creature of the command line you can manage your AD from the Linux command line. It’s not that difficult and, in the end, will give you many more options to keep your AD server managed.

Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear.

Enable SLDAP

Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details):

Create an Active Directory domain controller certificate request.
Create a Certification Authority.
Sign the certificate request by the Certification Authority.
Export the root certificate Certification Authority.
Import the root certificate Certification Authority onto the Domain Controller.
Import the LDAP Server certificate onto the Domain Controller.
Set up the UMRA (LDAP Client) computer.
Verify Secure LDAPS using SSL.

Installing adtool

Fortunately adtool will be found in your distributions’ repositories. So all you have to do is follow these steps:

Fire up Synaptic (or whichever Add/Remove Software utility you use).
Do a search for “adtool” (no quotes).
Mark the results for installation.
Click Apply to install.
Close Synaptic.

Configuring adtool

This is a bit of configuration you need to handle before you can use adtool on your AD server. First create the file (if it doesn’t exist) /etc/adtool.cfg and add the following contents:

uri ldaps://YOUR.DOMAIN.HERE binddn cn=Administrator,cn=Users,dc=domain,dc=tld bindpw $PASSWORD searchbase dc=domain,dc=tld

Where YOUR.DOMAIN.HERE is the actual address to your Active Directory server.

Where PASSWORD is the password for the AD user that has proper permissions to manage the AD server.

You will also need to make sure the following is in your /etc/ldap/ldap.conf file:

BASE dc=YOUR,dc=DOMAIN,dc=HERE URI ldaps://YOUR.DOMAIN.HERE TLS_REQCERT allow

Without the above configuration you will not be able to accept the SSL certificates from the server.

Basic usage

The basic usage of the adtool command is simple. Of course you will have to understand Active Directory in order to really understand the usage of this tool. Below I will give you samples of commands to handle the basic tasks for AD. Any information in ALL CAPS would be altered to fit your needs.

Create a new organizational unit:

adtool oucreate ORGANIZATION NAME ou=user,dc=DOMAIN,dc=COM

Add a user:

adtool useradd USER ou=ORGANIZATION ou=user,cd=DOMAIN,dc=COM

Set a user password:

adtool setpass USER PASSWORD

Unlock a user:

adtool unlock USER

Create a group

adtool groupcreate GROUP ou=user,cd=DOMAIN,dc=COM

Add a user to a group:

adtool groupadd allusers USER

Add an email address for the user:

adtool attributereplace USER mail EMAIL@ADDRESS

Final thoughts

We’ve only really scratched the surface of this powerful tool. But from this you should be able to see how easy adtool can be as well as how helpful it is.

Tags: active directory, adtool, LDAP, manage active directory from linux

USB Port Protection

Martin — Thu, 05 Mar 2009 16:04:11 +0000

System administrators do not only have to make sure that the computer systems that they administrate are protected from online threats: Local attacks are also a common threat that has to be dealt with. One prominent way of gaining access to a local computer system is by connecting external devices to the system. USB ports have to be protected by the system administrator so that external devices cannot be connected to the system. Some of the dangers are malware threats that could be distributed in a computer network from one entry point or data theft by copying data from the local system to a removable device.

USB Blocker (via Techie Buzz) is a software program that can protect USB ports from being accessed unauthorized. One main benefit of USB Blocker is that it relies solely on group policy mechanisms and does not have to be deployed on client computer systems. USB port protection can be achieved with just a few mouse clicks on connected computer systems.

The application is controlled via a small interface that pops up for the first time after installation. A click on the Block USB Devices checkbox enables the options for managed active directory domains and provides the means to exclude computers from being blocked by the USB port protection software. There is also an option to only block devices for specific organizational units in the Active directory.

The usb port protection software can only be downloaded after a quick registration (without verification) at the website of the developer. USB Blocker is compatible with most Microsoft operating systems. A commercial version exists as well which extends the functionality of the USB port protection to include additional devices among other things.

Tags: active directory, block usb, usb, usb blocker, usb devices, usb port, usb port protection, windows software

gHacks technology news » active directory

Manage your Active Directory from Linux with adtool

Related posts

USB Port Protection

Related posts