AD Helper

One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.

However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application [1] is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.

Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" [2], although the Debian project removed adtool from testing in March 2012 [3], and no package is currently listed for the new Debian 7 "wheezy" release.

What is adtool?

Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:

• Create new Active Directory groups.
• Modify existing groups.
• Delete groups.
• Change passwords, as well as alter password settings (e.g., password aging values).
• Form queries to determine the contents of an Active Directory database.
• Conduct sophisticated searches.

In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.

Installing adtool

Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in sudo apt-get install adtool.

To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP [5]. Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:

sudo apt-get install ldap-utils

Then, I installed the libldap2-dev package.

You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.

Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence: ./configure, make, make check, then sudo make install.

Enabling SSL for LDAP (and adtool)

It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.

To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 [6]. You can also create an Active Directory domain controller certificate request using a Microsoft system.

Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as /etc/ldap/ldap.conf accordingly.

Then, you can edit the /etc/adtool.cfg file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.