AD Helper

One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.

However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application [1] is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.

Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" [2], although the Debian project removed adtool from testing in March 2012 [3], and no package is currently listed for the new Debian 7 "wheezy" release.

What is adtool?

Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:

• Create new Active Directory groups.
• Modify existing groups.
• Delete groups.
• Change passwords, as well as alter password settings (e.g., password aging values).
• Form queries to determine the contents of an Active Directory database.
• Conduct sophisticated searches.

In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.

Installing adtool

Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in sudo apt-get install adtool.

To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP [5]. Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:

sudo apt-get install ldap-utils

Then, I installed the libldap2-dev package.

You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.

Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence: ./configure, make, make check, then sudo make install.

Enabling SSL for LDAP (and adtool)

It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.

To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 [6]. You can also create an Active Directory domain controller certificate request using a Microsoft system.

Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as /etc/ldap/ldap.conf accordingly.

Then, you can edit the /etc/adtool.cfg file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.

Details

To explain the process in greater detail, I'll take a closer look at the steps described in the preceding section. First, to create a digital certificate (with OpenSSL in this case), you can start by creating a certificate signing request:

$ openssl req -days 3650 -nodes -new \
   -keyout /usr/local/etc/ openldap/private/myldapserver.key \
   -out /usr/local/etc/openldap/private/myldapserver.csr

The preceding line tells OpenSSL to create a certificate request for my server, which, for the purposes of this example, is called myldapserver.

You will be asked certain questions. Be careful that you provide the correct server name when asked for the CN (Canonical Name) entry. If you provide the wrong name, your domain controller or your LDAP server will reject all SSL-based connections. You will then need to re-create the certificate.

Next, you need to need to sign the request:

openssl x509 -req -days 3650 \
   -in /usr/local/etc/openldap/private/myldapserver.csr \
   -out /usr/local/etc/openldap/myldapserver.crt \
   -CA /usr/local/etc/openldap/ca.crt \
   -CAkey /usr/local/etc/openldap/private/ca.key \
   -CAcreateserial

You now have a working certificate. You then need to copy it to the appropriate directory, so that your LDAP server can use it. For example, on my system, I would copy it to the /usr/local/etc/openldap directory as follows:

/usr/local/etc/openldap/myldapserver.crt
/usr/local/etc/openldap/private/myldapserver.key
/usr/local/etc/openldap/ca.crt

Then, you can edit the /etc/ldap/ldap.conf file so it contains the appropriate values. If, for example, I had a server named myldapserver for stanger.com, I would edit the file accordingly (see Listing 1).

The last three lines in Listing 1 helped make sure that my Linux LDAP implementation used SSL when communicating with the domain controller. You might need to change the directory names, depending upon your Linux implementation. Once you have made these changes, you can restart your LDAP server.

Once LDAP is using SSL, you need to edit the adtool configuration file, which is usually at the following location: /etc/adtool.cfg. If you wish, you can also create a local file, such as ~/.adtool.cfg. Some admins think that creating these values in a user-level file is more convenient. It can also be more secure, because now connection-specific details are found in a user's directory, rather than in the system-wide /etc/adtool.cfg file. It's your choice. For my example, I'm going to use the /etc/adtool.cfg file.

To set the file so that it uses my SSL-enabled LDAP server (myldapserver), my domain name (stanger.com), and my password (linuxpromagazinerules), I would edit the file accordingly:

uri ldaps://myldapserver.stanger.com
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $ linuxpromagazinerules
searchbase dc=domain,dc=tld

Once I have made these changes, I can connect to a Microsoft Active Directory domain controller over an SSL-encrypted connection, and all the adtool features will be available.

Using adtool for Common Tasks

Now that I've got a fully-functional implementation of adtool, it is time to explore some of the typical adtool features for managing an Active Directory environment.

To list users in an organizational unit, issue the following command:

$ adtool list ou=user,dc=stanger,dc=com CN=allusers,OU=user,DC=stanger,DC=com
OU=research,OU=user,DC=stanger,DC=com
OU=accounting,OU=user,DC=stanger,DC=com

The result will be that you will see all users that you have specified in the request.

To create a new user, you can issue the following command:

$ adtool useradd jstanger ou=research,ou=user,dc=stanger,dc=com

You will, of course, need to set a password for this user. To set a password, issue the following command:

$ adtool setpass jstanger linuxpromagazinerules

Many times, a domain controller will be set to lock a new user's account by default. You will therefore need to unlock this user's account. To unlock an account, the command is fairly simple:

$ adtool unlock jstanger

You might also need to unlock existing user accounts, either because the user has exceeded the number of logins, or because the user's login account has become disabled because of time limits.

Suppose this new user needs to be placed into a new group named phpdevelopers. First, you would create a group named phpdevelopers by issuing the following command:

$ adtool groupcreate phpdevelopers ou=user,cd=stangernet,dc=com

To add the user named jstanger to this new group (phpdevelopers), issue the following command:

$ adtool groupadd phpdevelopers jstanger

Now you know how to list groups, as well as how to create a user and add a group.

Additional Tasks

Many times, you will need to create a new organizational unit. To create an OU named socialmediaexperts, you can do:

$ adtool oucreate socialmediaexperts ou=user,dc=myldapserver.stangernet.com,dc=com

To add a user to all groups:

$ adtool groupadd allusers jstanger

To add details about a user:

$ adtool attributereplace jstanger telephonenumber 4138
$ adtool attributereplace jstanger mail jstanger@stangernet.com

If you wish to add an email address for this user, issue the following command:

$ adtool attributereplace jstanger mail jstanger@stangernet.com

To lock a user's account, issue the following command:

$ adtool userlock jstanger

You can delete a user as follows:

$ adtool userdelete jstanger

Update Early and Often

Remember, a software update for any project can cause mysterious problems to go away – or to appear. So, if you're experiencing issues with adtool and are confident that your queries and commands are using the proper syntax, and if you are convinced that your LDAP and Active Directory servers are properly configured, you might simply need to use a different version of adtool. As of this writing, the most current version is 1.3.3. Use that version unless you find that using an older version somehow resolves any connection problems you might be having.

Conclusion

So, you now have a good understanding of how to use adtool to administer a Microsoft domain controller. Using adtool across an encrypted connection gives you the ability to use your Linux system as efficiently as a Windows system. adtool is a powerful tool, and you now know many of the commands that will allow you to work and play well with Microsoft systems.

Invalid credentials (49)
additional info: 720408159: \
     LdapErr: DSID-0C090334, \
     comment: AcceptSecurityContext error, data 525, vece