Managing Active Directory from Linux with adtool
Details
To explain the process in greater detail, I'll take a closer look at the steps described in the preceding section. First, to create a digital certificate (with OpenSSL in this case), you can start by creating a certificate signing request:
$ openssl req -days 3650 -nodes -new \ -keyout /usr/local/etc/ openldap/private/myldapserver.key \ -out /usr/local/etc/openldap/private/myldapserver.csr
The preceding line tells OpenSSL to create a certificate request for my server, which, for the purposes of this example, is called myldapserver
.
You will be asked certain questions. Be careful that you provide the correct server name when asked for the CN (Canonical Name) entry. If you provide the wrong name, your domain controller or your LDAP server will reject all SSL-based connections. You will then need to re-create the certificate.
Next, you need to need to sign the request:
openssl x509 -req -days 3650 \ -in /usr/local/etc/openldap/private/myldapserver.csr \ -out /usr/local/etc/openldap/myldapserver.crt \ -CA /usr/local/etc/openldap/ca.crt \ -CAkey /usr/local/etc/openldap/private/ca.key \ -CAcreateserial
You now have a working certificate. You then need to copy it to the appropriate directory, so that your LDAP server can use it. For example, on my system, I would copy it to the /usr/local/etc/openldap
directory as follows:
/usr/local/etc/openldap/myldapserver.crt /usr/local/etc/openldap/private/myldapserver.key /usr/local/etc/openldap/ca.crt
Then, you can edit the /etc/ldap/ldap.conf
file so it contains the appropriate values. If, for example, I had a server named myldapserver
for stanger.com, I would edit the file accordingly (see Listing 1).
Listing 1
Adding an LDAP Server
The last three lines in Listing 1 helped make sure that my Linux LDAP implementation used SSL when communicating with the domain controller. You might need to change the directory names, depending upon your Linux implementation. Once you have made these changes, you can restart your LDAP server.
Once LDAP is using SSL, you need to edit the adtool configuration file, which is usually at the following location: /etc/adtool.cfg
. If you wish, you can also create a local file, such as ~/.adtool.cfg
. Some admins think that creating these values in a user-level file is more convenient. It can also be more secure, because now connection-specific details are found in a user's directory, rather than in the system-wide /etc/adtool.cfg
file. It's your choice. For my example, I'm going to use the /etc/adtool.cfg
file.
To set the file so that it uses my SSL-enabled LDAP server (myldapserver
), my domain name (stanger.com), and my password (linuxpromagazinerules
), I would edit the file accordingly:
uri ldaps://myldapserver.stanger.com binddn cn=Administrator,cn=Users,dc=domain,dc=tld bindpw $ linuxpromagazinerules searchbase dc=domain,dc=tld
Once I have made these changes, I can connect to a Microsoft Active Directory domain controller over an SSL-encrypted connection, and all the adtool features will be available.
Using adtool for Common Tasks
Now that I've got a fully-functional implementation of adtool, it is time to explore some of the typical adtool features for managing an Active Directory environment.
To list users in an organizational unit, issue the following command:
$ adtool list ou=user,dc=stanger,dc=com CN=allusers,OU=user,DC=stanger,DC=com OU=research,OU=user,DC=stanger,DC=com OU=accounting,OU=user,DC=stanger,DC=com
The result will be that you will see all users that you have specified in the request.
To create a new user, you can issue the following command:
$ adtool useradd jstanger ou=research,ou=user,dc=stanger,dc=com
You will, of course, need to set a password for this user. To set a password, issue the following command:
$ adtool setpass jstanger linuxpromagazinerules
Many times, a domain controller will be set to lock a new user's account by default. You will therefore need to unlock this user's account. To unlock an account, the command is fairly simple:
$ adtool unlock jstanger
You might also need to unlock existing user accounts, either because the user has exceeded the number of logins, or because the user's login account has become disabled because of time limits.
Suppose this new user needs to be placed into a new group named phpdevelopers
. First, you would create a group named phpdevelopers
by issuing the following command:
$ adtool groupcreate phpdevelopers ou=user,cd=stangernet,dc=com
To add the user named jstanger
to this new group (phpdevelopers
), issue the following command:
$ adtool groupadd phpdevelopers jstanger
Now you know how to list groups, as well as how to create a user and add a group.
Additional Tasks
Many times, you will need to create a new organizational unit. To create an OU named socialmediaexperts
, you can do:
$ adtool oucreate socialmediaexperts ou=user,dc=myldapserver.stangernet.com,dc=com
To add a user to all groups:
$ adtool groupadd allusers jstanger
To add details about a user:
$ adtool attributereplace jstanger telephonenumber 4138 $ adtool attributereplace jstanger mail jstanger@stangernet.com
If you wish to add an email address for this user, issue the following command:
$ adtool attributereplace jstanger mail jstanger@stangernet.com
To lock a user's account, issue the following command:
$ adtool userlock jstanger
You can delete a user as follows:
$ adtool userdelete jstanger
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.