HOWTO: Managing Active Directory users under Linux with adtool

Usually people manages Linux boxes using Windows clients but sometimes, someone (like me, for example) needs to manage a Windows server from a Linux host (it could be a normal client or another server which wants to talk to Windows).

IMO, Active Directory is one of the best product from Microsoft, since it’s based on a well known standard like X.500 (aka LDAP) and it has a good interoperabilty (although it could be better, see all the problems Samba people had in the past).  So, even if there are tools like PHPLdapAdmin which are pretty good, if you need to automate users and groups management, there’s nothing better than a command line tool. Enter adtool.

adtool is very simple to use, but it’s not so simple to have it up&running, because this involves, amongst other things, to activate Secure LDAP in your Active Directory installation. To do this, you can follow this guide which will lead you through all the steps you have to do to enable LDAPS in Windows Server 2003. It may look scary but it works indeed, I used it myself.

Then, install adtool. In Debian/Ubuntu

# aptitude install adtool

Probably adtool is already present in your distribution’s repositories, so use your package manager. In the case it’s not present, simply download the adtool tarball from its homepage and do the usual

$ tar xzvf adtool-1.3.tar.gz
$ cd adtool-1.3
$ ./configure
$ make
# make install

It should be quite straightforward.
Now we have everything installed, so we can configure adtool.
Create /etc/adtool.cfg or, even better $HOME/.adtool.cfg because it will contain sensitive information, so lock it up to the user you’re willing to employ to modify Active Directory.
Put this in the config file (adapt to your needs)

uri ldaps://domain-controller.domain.tld
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
searchbase dc=domain,dc=tld

As you can see we are using LDAPS here, because otherwise some adtool features like changing users’ passwords wouldn’t be available.
You don’t necessarily have to use the Administrator account, you can use whatever account you want, it just needs to have the right permissions (create user, change passwords etc).

So you can start poking your AD from the Linux command line, like this:

# create a new user with a dn like cn=$NAME,ou=$DEP,dc=domain,dc=tld
$ adtool usercreate "$NAME" "ou=$DEP,dc=domain,dc=tld"

# set user logon password
$ adtool setpass "$NAME" $my_secret_password

# to unlock the account (locked by default)
$ adtool userunlock "$NAME"

# to disable all the "account options" in the user's account tabe. Amongst them the "Password never expires" which is again enabled by default
$ adtool attributereplace "$NAME" userAccountControl 512

# to set user's mail address
$ adtool attributeadd "$NAME" mail user@domain.tld

# add the user to a group of users
$ adtool groupadduser $my_group "$NAME"

This could be very useful for user scripting and system integration if you’re in a mixed environment, just like we are.


23 thoughts on “HOWTO: Managing Active Directory users under Linux with adtool

  1. This is excellent! Between Likewise Open, it’s getting a lot easier to interact with the Microsoft world.

    Thanks for the writeup!

    By the way, I’m having some problems with the “attributeget” flag. I get this result:

    $ adtool attributeget cn=OpsMachines,cn=Computers,dc=mydomain,dc=com member
    error: Error in ldap_search_s for ad_search: Operations error

    Any idea what is going wrong? OpsMachines is a group under Computers. I have run equivalent queries with user account attributes, and I get the same “Operations error”. Initial googling didn’t get me any closer.

    Does it work on yours?

  2. @Matt: Try to use the leftmost CN in the DN you’re looking for, not the whole DN. In your example, try with:

    $ adtool attributeget OpsMachines member

    it should work (at least, it works for me, I can succesfully enumerate the members of a group)

  3. Hi Vide,

    It’s funny I found this tool before your site only last week. I tried getting SSL to work and according to Fig.54 on that page using the ldp tool it’s all fine. But when I use ldaps:// I get the following error:

    bind: : Can’t contact LDAP server (-1)

    Change it back to ldap and it works. Every had that issue ? Seems very odd especially when I can even use Luma to browse the LDAP entries over port 636. Not sure what’s going on, I’ve even trace packets and I can see it actually talking to the AD box on port 636.

    It’s a shame there’s not better debugging modes in adtool, and it seems it’s not been worked on for a while too.

  4. @Félim: to be honest, IIRC, I experienced something similiar during the first 1-2 days of LDAPS implementation.. I touched so many things that I cannot remember and than one day, magically, started to work perfectly. Maybe there could be a problem with the certificates in the Linux client you’re running AD in, try to import your AD CA certificate in your system’s certificates.

  5. Anyway yes, it’s truly a pity that adtool gets so little attention, it’s a very nice tool. I should really start studying (again) C :/

  6. Sorted !

    BASE dc=your_server,dc=domain,dc=com
    URI ldaps://
    TLS_REQCERT allow

    And it works perfect… obvious I suppose ! oh well !!

  7. @Felim I tried your line “TLS_REQCERT” and it didn’t work for me. Like you, I could goto ldap:// and have things work, but I’d like to get ldaps:// working. Did you do anything else at all to get that to work?

  8. If I am joined and editing a group on domain1, but want to add a user from domain2, can I? I’ve tried adding domain2\user and user@domain2.fqdn but it does not seem to like it. Being able to deal with multiple domains would make scripting pretty nice.

  9. @Slonkak: if you assumed, as I did, that TLS_REQCERT was to be added to adtool.cfg, it actually needs to be added to ldap.conf

  10. Just as an FYI, I was getting the error …

    error: Error in ldap_search_s for ad_search: Operations error

    …when try to do a search with adtool. I ended up downloading and compiling adtool 1.3 myself and this fixed the issue. I was using adtool 1.2 when I had the issue. This is on Debian Etch.

  11. Tool works very nice. I used the following to enable ssl in AD (TinyCA2):
    I wasted several hours thinking that the tool wasn’t working, when in fact it was. I repatedly attempted to set a users’ password that didn’t meat the password complexity requirements set by default in AD (thought others might find that tip helpful). Does anyone know how to set a users First and Last name using the tool?

  12. Here is the answer to how to set users’ first, last and display names:
    adtool attributereplace jdoe “givenName” John
    adtool attributereplace jdoe “sn” Doe
    adtool attributereplace jdoe “displayName” “John Doe”

  13. Simon,
    I tried adding the TLS_REQCERT to the ldap.conf but still I get the same error

    bind: : Can’t contact LDAP server (-1)
    error: Error in ldap_bind Can’t contact LDAP server

    I am wondering if we have to exchange the cert manually for this to work? Is there any thing I am missing

  14. Well, Thank you, this was exactly what i was looking for, but what if i have two objects with the same name, i have many such object in my directory, is there a way to point to them using the distinguishedName ? or how to get the second match for example ..?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s