Managing Active Directory from Linux with adtool
AD Helper

The simple but useful adtool lets you manage an Active Directory domain from the Linux command line.
One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.
However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application [1] is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.
Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" [2], although the Debian project removed adtool from testing in March 2012 [3], and no package is currently listed for the new Debian 7 "wheezy" release.
Alternatives
You don't absolutely have to use adtool. The following projects do a very good job, as well:
- Splunk [4] – A very powerful application for your Windows or Linux systems. Using Splunk, you can work with Active Directory, though after 60 days, you'll have to pay for the privilege.
- Free ActiveDir Manager (Android Play store) – An Android app, ActiveDir Manager has the ability to do all the same things as adtool right from your phone. Convenient, I suppose, but I like adtool, because I don't always want to be fumbling about with my phone while working on remote systems. My eyes are getting as old as the rest of my body, so I prefer a nice, full-size screen. And, even though this app is available for Android tablets, I still prefer using adtool because I type very quickly (when I can see the keyboard), and adtool let's me get to work quickly. A fee-based version of this app is available for around US$ 5.00.
- AD HelpDesk (iTunes store): This free app is relatively limited, as it only resets locked-out Active Directory passwords. But, that's better than nothing. The fee-based version (around US$ 5.00) has additional features similar to Free ActiveDir Manager.
What is adtool?
Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:
- Create new Active Directory groups.
- Modify existing groups.
- Delete groups.
- Change passwords, as well as alter password settings (e.g., password aging values).
- Form queries to determine the contents of an Active Directory database.
- Conduct sophisticated searches.
In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.
Installing adtool
Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in sudo apt-get install adtool
.
To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP [5]. Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:
sudo apt-get install ldap-utils
Then, I installed the libldap2-dev
package.
You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.
Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence: ./configure
, make
, make check
, then sudo make install
.
Enabling SSL for LDAP (and adtool)
It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.
To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 [6]. You can also create an Active Directory domain controller certificate request using a Microsoft system.
Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as /etc/ldap/ldap.conf
accordingly.
Then, you can edit the /etc/adtool.cfg
file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.
-
Linux Kernel 6.2 Released with New Hardware Support
Find out what's new in the most recent release from Linus Torvalds and the Linux kernel team.