Managing Active Directory from Linux with adtool
The simple but useful adtool lets you manage an Active Directory domain from the Linux command line.
One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.
However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application  is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.
Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" , although the Debian project removed adtool from testing in March 2012 , and no package is currently listed for the new Debian 7 "wheezy" release.
You don't absolutely have to use adtool. The following projects do a very good job, as well:
- Splunk  – A very powerful application for your Windows or Linux systems. Using Splunk, you can work with Active Directory, though after 60 days, you'll have to pay for the privilege.
- Free ActiveDir Manager (Android Play store) – An Android app, ActiveDir Manager has the ability to do all the same things as adtool right from your phone. Convenient, I suppose, but I like adtool, because I don't always want to be fumbling about with my phone while working on remote systems. My eyes are getting as old as the rest of my body, so I prefer a nice, full-size screen. And, even though this app is available for Android tablets, I still prefer using adtool because I type very quickly (when I can see the keyboard), and adtool let's me get to work quickly. A fee-based version of this app is available for around US$ 5.00.
- AD HelpDesk (iTunes store): This free app is relatively limited, as it only resets locked-out Active Directory passwords. But, that's better than nothing. The fee-based version (around US$ 5.00) has additional features similar to Free ActiveDir Manager.
What is adtool?
Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:
- Create new Active Directory groups.
- Modify existing groups.
- Delete groups.
- Change passwords, as well as alter password settings (e.g., password aging values).
- Form queries to determine the contents of an Active Directory database.
- Conduct sophisticated searches.
In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.
Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in
sudo apt-get install adtool.
To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP . Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:
sudo apt-get install ldap-utils
Then, I installed the
You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.
Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence:
make check, then
sudo make install.
Enabling SSL for LDAP (and adtool)
It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.
To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 . You can also create an Active Directory domain controller certificate request using a Microsoft system.
Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as
Then, you can edit the
/etc/adtool.cfg file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.