Managing Active Directory from Linux with adtool
AD Helper
The simple but useful adtool lets you manage an Active Directory domain from the Linux command line.
One of my favorite Linux-related sayings is "there's more than one way to do it." I feel this way especially about managing Microsoft Active Directory implementations. I strongly believe that any systems administrator with responsibility over an Active Directory implementation should be able to use Microsoft's Active Directory Users and Computers (ADUC) snap-in, which is found in the Microsoft Management Console (MMC), when they need to. After all, Linux administrators shouldn't be afraid of using any tool that does the job.
However, why limit yourself to only Windows-specific tools? Mike Dawson's adtool application [1] is a particularly powerful and useful tool for managing Active Directory from Linux. adtool is stable and readily available, and it has enjoyed a solid development history. The adtool project has created a command-line based application, so it is easy to use for remote administration, and it is nice and "old school," so it appeals to folks like me, who like to use command-line interfaces to get in and out of trouble as quickly as possible.
Adtool has been around for years, and Linux distributions offer varying degrees of support for it. Other, more recent tools have taken some of the attention from adtool (see the box titled "Alternatives), but the Unix-like simplicity of adtool means that it is still the tool for choice for some users. Many Red Hat versions have adtool available with the default installations. A Debian package appeared through Debian 6 "squeeze" [2], although the Debian project removed adtool from testing in March 2012 [3], and no package is currently listed for the new Debian 7 "wheezy" release.
Alternatives
You don't absolutely have to use adtool. The following projects do a very good job, as well:
- Splunk [4] – A very powerful application for your Windows or Linux systems. Using Splunk, you can work with Active Directory, though after 60 days, you'll have to pay for the privilege.
- Free ActiveDir Manager (Android Play store) – An Android app, ActiveDir Manager has the ability to do all the same things as adtool right from your phone. Convenient, I suppose, but I like adtool, because I don't always want to be fumbling about with my phone while working on remote systems. My eyes are getting as old as the rest of my body, so I prefer a nice, full-size screen. And, even though this app is available for Android tablets, I still prefer using adtool because I type very quickly (when I can see the keyboard), and adtool let's me get to work quickly. A fee-based version of this app is available for around US$ 5.00.
- AD HelpDesk (iTunes store): This free app is relatively limited, as it only resets locked-out Active Directory passwords. But, that's better than nothing. The fee-based version (around US$ 5.00) has additional features similar to Free ActiveDir Manager.
What is adtool?
Adtool is designed to administer Microsoft Active Directory implementations from Linux systems. No, it's not some sort of Google-like tool that helps you create SEO-friendly web pages or social media implementations. With adtool you can:
- Create new Active Directory groups.
- Modify existing groups.
- Delete groups.
- Change passwords, as well as alter password settings (e.g., password aging values).
- Form queries to determine the contents of an Active Directory database.
- Conduct sophisticated searches.
In short, you can do all of the things you want to do in Active Directory without resorting to launching a virtual session or walking up to a Microsoft Windows box. I'm a security consultant, in addition to my regular gig as in the education and certification industry, so I find adtool very handy, as it saves me time.
Installing adtool
Some Linux distros have adtool in package form and some don't. I prefer to install from a tarball, because in the past I've seen too many pre-created implementations with serious issues. Other implementations don't sport all of the features I need. For example, my Ubuntu 13.04 system didn't have adtool installed by default. And, it doesn't give me any joy by simply typing in sudo apt-get install adtool
.
To get adtool running on an Ubuntu system, you first need the LDAP libraries, which are available at OpenLDAP [5]. Active Directory is heavily dependent on LDAP, and successful adtool installation therefore depends on the presence of the LDAP libraries. To install, I typed:
sudo apt-get install ldap-utils
Then, I installed the libldap2-dev
package.
You also need to install OpenSSL or another tool that can create digital certificates. Although actual adtool installation doesn't absolutely require SSL-based connections or any of the libraries in OpenSSL, you'll see later in this article that you need SSL-based connections to use all the features available in adtool.
Once you set up LDAP and OpenSSL, you can install and configure the adtool tarball without any difficulty. If you follow the steps, you won't need to make any special command-line additions during the make process. Simply follow the typical sequence: ./configure
, make
, make check
, then sudo make install
.
Enabling SSL for LDAP (and adtool)
It is important to set up adtool to use SSL-based connections. Otherwise, you won't be able to use all of adtool's features. Microsoft domain controllers won't allow activities such as password changes and creation for new users to occur unless the connection is encrypted.
To enable SSL-based encryption, start by creating a signed digital certificate. You can use OpenSSL, or you can use a digital certificate supplied by a third party, such as VeriSign. I've even seen people use TinyCA, which is also known as tinyCA2 [6]. You can also create an Active Directory domain controller certificate request using a Microsoft system.
Once you have created the digital certificate, install it on the domain controller you wish to administer and then configure your LDAP server to use SSL. This step involves placing the certificate into the appropriate directories and editing LDAP server files such as /etc/ldap/ldap.conf
accordingly.
Then, you can edit the /etc/adtool.cfg
file to contain relevant information for the domain controller you wish to access, and test the implementation against a working domain controller.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.
-
ZorinOS 17.1 Released, Includes Improved Windows App Support
If you need or desire to run Windows applications on Linux, there's one distribution intent on making that easier for you and its new release further improves that feature.
-
Linux Market Share Surpasses 4% for the First Time
Look out Windows and macOS, Linux is on the rise and has even topped ChromeOS to become the fourth most widely used OS around the globe.
-
KDE’s Plasma 6 Officially Available
KDE’s Plasma 6.0 "Megarelease" has happened, and it's brimming with new features, polish, and performance.
-
Latest Version of Tails Unleashed
Tails 6.0 is based on Debian 12 and includes GNOME 43.
-
KDE Announces New Slimbook V with Plenty of Power and KDE’s Plasma 6
If you're a fan of KDE Plasma, you'll be thrilled to hear they've announced a new Slimbook with an AMD CPU and the latest version of KDE Plasma desktop.
-
Monthly Sponsorship Includes Early Access to elementary OS 8
If you want to get a glimpse of what's in the pipeline for elementary OS 8, just set up a monthly sponsorship to help fund its continued existence.
-
DebConf24 to be Held in South Korea
Busan will be the location of the latest DebConf running July 28 through August 4
-
Fedora Unleashes Atomic Desktops
Fedora has combined its solid distribution with rpm-ostree system to make it possible to deliver a new family of Fedora spins, called Fedora Atomic Desktops.
-
Bootloader Vulnerability Affects Nearly All Linux Distributions
The developers of shim have released a version to fix numerous security flaws, including one that could enable remote control execution of malicious code under certain circumstances.