Managing Active Directory from Linux with adtool

AD Helper

Article from Issue 152/2013
Author(s):

The simple but useful adtool lets you manage an Active Directory domain from the Linux command line.

One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.

However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application [1] is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.

Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" [2], although the Debian project removed adtool from testing in March 2012 [3], and no package is currently listed for the new Debian 7 "wheezy" release.

Alternatives

You don't absolutely have to use adtool. The following projects do a very good job, as well:

  • Splunk [4] – A very powerful application for your Windows or Linux systems. Using Splunk, you can work with Active Directory, though after 60 days, you'll have to pay for the privilege.
  • Free ActiveDir Manager (Android Play store) – An Android app, ActiveDir Manager has the ability to do all the same things as adtool right from your phone. Convenient, I suppose, but I like adtool, because I don't always want to be fumbling about with my phone while working on remote systems. My eyes are getting as old as the rest of my body, so I prefer a nice, full-size screen. And, even though this app is available for Android tablets, I still prefer using adtool because I type very quickly (when I can see the keyboard), and adtool let's me get to work quickly. A fee-based version of this app is available for around US$ 5.00.
  • AD HelpDesk (iTunes store): This free app is relatively limited, as it only resets locked-out Active Directory passwords. But, that's better than nothing. The fee-based version (around US$ 5.00) has additional features similar to Free ActiveDir Manager.

What is adtool?

Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:

  • Create new Active Directory groups.
  • Modify existing groups.
  • Delete groups.
  • Change passwords, as well as alter password settings (e.g., password aging values).
  • Form queries to determine the contents of an Active Directory database.
  • Conduct sophisticated searches.

In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.

Installing adtool

Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in sudo apt-get install adtool.

To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP [5]. Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:

sudo apt-get install ldap-utils

Then, I installed the libldap2-dev package.

You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.

Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence: ./configure, make, make check, then sudo make install.

Enabling SSL for LDAP (and adtool)

It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.

To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 [6]. You can also create an Active Directory domain controller certificate request using a Microsoft system.

Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as /etc/ldap/ldap.conf accordingly.

Then, you can edit the /etc/adtool.cfg file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Table of Contents: 152

    We look at SharePoint integration and show you how to manage Active Directory from Linux. But first, a special story on a dangerous new class of intrusion tools.

  • OpenLDAP 2.4.8 with Bugfixes

    The new 2.4.8 version mainly offers bugfixes for the free OpenLDAP directory service, while adding a Slap daemon encryption feature.

  • Stopping Drive-By Attacks

    You won't find a perfect solution to the growing problem of drive-by attacks, but many tools are available to help you keep malicious code off your network.

  • Linux with Active Directory

    We explore some leading tools for integrating your Linux network with an Active Directory environment.

  • Samba 4

    A technical preview version of Samba 4 became available at the end of January. We took a look at what’s coming in the next version of the Samba file and print service suite.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News