Managing Active Directory from Linux with adtool

Details

To explain the process in greater detail, I'll take a closer look at the steps described in the preceding section. First, to create a digital certificate (with OpenSSL in this case), you can start by creating a certificate signing request:

$ openssl req -days 3650 -nodes -new \
   -keyout /usr/local/etc/ openldap/private/myldapserver.key \
   -out /usr/local/etc/openldap/private/myldapserver.csr

The preceding line tells OpenSSL to create a certificate request for my server, which, for the purposes of this example, is called myldapserver.

You will be asked certain questions. Be careful that you provide the correct server name when asked for the CN (Canonical Name) entry. If you provide the wrong name, your domain controller or your LDAP server will reject all SSL-based connections. You will then need to re-create the certificate.

Next, you need to need to sign the request:

openssl x509 -req -days 3650 \
   -in /usr/local/etc/openldap/private/myldapserver.csr \
   -out /usr/local/etc/openldap/myldapserver.crt \
   -CA /usr/local/etc/openldap/ca.crt \
   -CAkey /usr/local/etc/openldap/private/ca.key \
   -CAcreateserial

You now have a working certificate. You then need to copy it to the appropriate directory, so that your LDAP server can use it. For example, on my system, I would copy it to the /usr/local/etc/openldap directory as follows:

/usr/local/etc/openldap/myldapserver.crt
/usr/local/etc/openldap/private/myldapserver.key
/usr/local/etc/openldap/ca.crt

Then, you can edit the /etc/ldap/ldap.conf file so it contains the appropriate values. If, for example, I had a server named myldapserver for stanger.com, I would edit the file accordingly (see Listing 1).

Listing 1

Adding an LDAP Server

01 BASE    dc=stanger,dc=com
02      URI     ldap://myldapserver.stanger.com
03
04      SIZELIMIT       12
05      TIMELIMIT       15
06      #DEREF          never
07
08      ssl start_tls
09      TLS_CACERT       /usr/local/etc/openldap/ca.crt
10      TLS_CIPHER_SUITE        HIGH:MEDIUM:+SSLv3
11
12 BASE    dc=YOUR,dc=DOMAIN,dc=HERE
13 URI     ldaps://stanger.com
14 TLS_REQCERT allow

The last three lines in Listing 1 helped make sure that my Linux LDAP implementation used SSL when communicating with the domain controller. You might need to change the directory names, depending upon your Linux implementation. Once you have made these changes, you can restart your LDAP server.

Once LDAP is using SSL, you need to edit the adtool configuration file, which is usually at the following location: /etc/adtool.cfg. If you wish, you can also create a local file, such as ~/.adtool.cfg. Some admins think that creating these values in a user-level file is more convenient. It can also be more secure, because now connection-specific details are found in a user's directory, rather than in the system-wide /etc/adtool.cfg file. It's your choice. For my example, I'm going to use the /etc/adtool.cfg file.

To set the file so that it uses my SSL-enabled LDAP server (myldapserver), my domain name (stanger.com), and my password (linuxpromagazinerules), I would edit the file accordingly:

uri ldaps://myldapserver.stanger.com
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $ linuxpromagazinerules
searchbase dc=domain,dc=tld

Once I have made these changes, I can connect to a Microsoft Active Directory domain controller over an SSL-encrypted connection, and all the adtool features will be available.

Using adtool for Common Tasks

Now that I've got a fully-functional implementation of adtool, it is time to explore some of the typical adtool features for managing an Active Directory environment.

To list users in an organizational unit, issue the following command:

$ adtool list ou=user,dc=stanger,dc=com CN=allusers,OU=user,DC=stanger,DC=com
OU=research,OU=user,DC=stanger,DC=com
OU=accounting,OU=user,DC=stanger,DC=com

The result will be that you will see all users that you have specified in the request.

To create a new user, you can issue the following command:

$ adtool useradd jstanger ou=research,ou=user,dc=stanger,dc=com

You will, of course, need to set a password for this user. To set a password, issue the following command:

$ adtool setpass jstanger linuxpromagazinerules

Many times, a domain controller will be set to lock a new user's account by default. You will therefore need to unlock this user's account. To unlock an account, the command is fairly simple:

$ adtool unlock jstanger

You might also need to unlock existing user accounts, either because the user has exceeded the number of logins, or because the user's login account has become disabled because of time limits.

Suppose this new user needs to be placed into a new group named phpdevelopers. First, you would create a group named phpdevelopers by issuing the following command:

$ adtool groupcreate phpdevelopers ou=user,cd=stangernet,dc=com

To add the user named jstanger to this new group (phpdevelopers), issue the following command:

$ adtool groupadd phpdevelopers jstanger

Now you know how to list groups, as well as how to create a user and add a group.

Additional Tasks

Many times, you will need to create a new organizational unit. To create an OU named socialmediaexperts, you can do:

$ adtool oucreate socialmediaexperts ou=user,dc=myldapserver.stangernet.com,dc=com

To add a user to all groups:

$ adtool groupadd allusers jstanger

To add details about a user:

$ adtool attributereplace jstanger telephonenumber 4138
$ adtool attributereplace jstanger mail jstanger@stangernet.com

If you wish to add an email address for this user, issue the following command:

$ adtool attributereplace jstanger mail jstanger@stangernet.com

To lock a user's account, issue the following command:

$ adtool userlock jstanger

You can delete a user as follows:

$ adtool userdelete jstanger

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Table of Contents: 152

    We look at SharePoint integration and show you how to manage Active Directory from Linux. But first, a special story on a dangerous new class of intrusion tools.

  • OpenLDAP 2.4.8 with Bugfixes

    The new 2.4.8 version mainly offers bugfixes for the free OpenLDAP directory service, while adding a Slap daemon encryption feature.

  • Stopping Drive-By Attacks

    You won't find a perfect solution to the growing problem of drive-by attacks, but many tools are available to help you keep malicious code off your network.

  • Linux with Active Directory

    We explore some leading tools for integrating your Linux network with an Active Directory environment.

  • Samba 4

    A technical preview version of Samba 4 became available at the end of January. We took a look at what’s coming in the next version of the Samba file and print service suite.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News