Managing Users In Active Directory From Linux – adtool Thursday, August 21, 2008
Posted by Félim in Linux, Microsoft, Security.Tags: active directory, adtool, Linux
trackback
Last week I found a truly excellent tool for adding, modifying and managing user in Active Directory from Linux. It’s in Ubuntu
sudo aptitude install adtool
For a better guide in setting it up Vide has a great one over at his site.
One thing that got me though, you have to make sure your /etc/ldap/ldap.conf file is set up correctly, which should have been obvious but it stumped me for a while (necessary to allow setting passwords etc.)
Make sure you have the following in your config:
BASE dc=ad-servername,dc=example,dc=com
URI ldaps://ad-servername.example.com
TLS_REQCERT allow
This allows you to correctly receive the SSL certificate from the server, otherwise you’ll get an error like this:
bind: : Can’t contact LDAP server (-1)
And hey presto you can avoid using MMC to manage users. 
And if you combine it with wmic ….. happy days !
I’d love to get this adtool thing to work, but am not a ldap god/expert/novice or even pawn. Is there some simple documentation explaining (not conceptually, but real examples) how to use this tool to query the Active Directory? Examples of command line options, what needs to be in the /etc/adtool.cfg, what sort of users/accounts/permissions need to be in place on the AD server, etc.
I’ve seen the man page, but it leaves a lot to be desired.
I’ve guessed and tried quite a bit, trying various combinations of ou=foo, dc=blah, cn=what, etc., but really don’t know what else to try.
It would be great to NOT have to boot up a Windows box to do AD administration.
Thanks!
Hi Jessica,
Not sure if you want to post your details of your AD here, but I can certainly give you basics of it if you want to ?
In my example I had a domain controller called felim-srv2.test.domain
So I setup two files (Ubuntu/Debian)
In my home folder I created a file called .adtool.cfg which contained:
uri ldaps://felim-srv2.nlctest.domain
binddn cn=Administrator,cn=Users,dc=nlctest,dc=domain
bindpw blank
searchbase dc=nlctest,dc=domain
This was using the Administrator account, but you don’t need that, you just need to be a user with rights to manage whatever OU contains the user you want to manage.
Then I also had to add to me /etc/ldap/ldap.conf :
BASE dc=felim-srv2,dc=nlctest,dc=domain
URI ldaps://felim-srv2.nlctest.domain
TLS_REQCERT allow
This allows me to use LDAPS and manage the user passwords. It’s a bit hard not knowing your setup (That being the main issue as you do have to know the paths) but if you want to post more info I’ll happily reply or I can email you if you’d like.
The best way to really discover whether something is a OU or a CN is to use an LDAP browser like Luma for Linux. AD hides the raw LDAP locations away which can be a bit of a pain.
Félim:
Thanks for the reply? Can you email me? I still have many questions– for example, what is ‘nlctest’ ?
email: jessica6_2000@yahoo.com
Thanks!
Did you ever get this working ? nlctest was just a name for the Windows Domain in this example. If you say were Yahoo and you had a server called srv1
Then we’d use:
BASE dc=srv1,dc=yahoo,dc=com
URI ldaps://srv1.yahoo.com
Apologies wordpress/gmail dropped your reply, so if it’s still causing you hassle let me know.
Hello, I didn’t see this reply until recently.
When I try to connect:
adtool list foo.com
I get the following:
bind: : Can’t contact LDAP server (-1)
Here’s what I currently have. A user with a .adtool.cfg in homedir containing:
uri ldaps://srv02.foo.com
binddn cn=jess6,cn=Users,dc=srv02,dc=foo,dc=com
bindpw blank
searchbase dc=srv02,dc=foo,dc=com
(where foo is really my domain, and srv02.foo.com does resolve to my AD server)
I have /etc/adtool.cfg
uri ldap://srv02.foo.com
binddn dc=foo,dc=com
searchbase dc=foo,dc=com
Should this work?
Hey Jessica,
What does your /etc/ldap/ldap.conf (Path might be different depending on your Distro)
Should have it setup like so:
BASE dc=srv02,dc=foo,dc=com
URI ldaps://srv02.foo.com
TLS_REQCERT allow
Well there is no problem having multiple setups in there but you need one for this server specifically. It’s possible the “TLS_REQCERT allow” line will fix it. It caused me all sorts of headaches.
The local config will override the /etc one so that’s ok. Also make sure your bindpw is obviously set to whatever it is. That *should* be you good to go. But your list command is a little off:
adtool list “ou=User Accounts,dc=srv02,dc=foo,dc=com”
Should show users, bear in mind the Whiespace in User Accounts means you need the inverted commas arouns it. Hope it works ! If not let me know.
Félim:
Thanks for the quick response!
Actually, I didn’t have a /etc/ldap/ldap.conf file, so I created as you described. I also changed my query, but i get the same result:
bind: : Can’t contact LDAP server (-1)
I do not have a bindpw set. Where would I set that?
What distro are you running, if it’s not Debian based that might not work at all, in fact it’s likely that it might be under /etc/openldap or some other path. That bindpw line goes into the adtool.cfg and will be the password of whatever user you are using in the same file. Does that make sense ?
I’m using Suse 10.3, and I just found the file exists in /etc/openldap.
After fixing these things, I get the same result though:
bind: : Can’t contact LDAP server (-1)
Perhaps I am out of luck. However, all this gave me another idea. I know there is an email client “Evolution” which can hook into an AD mail system if they have the webmail server in operation. I would think it would be easier to make something that talks to the webmail via http rather than directly to AD itself. Thoughts?
I’ve only seen that error when the “TLS_REQCERT allow” setting is missing. I presume you can actualyl resolve the AD box ? Also I’m guessing there is no firewall blocking access for you as well ?
You want to manage AD user do you not ? Evolution talks to Exchange alright but it’s purely an email client. I don’t know th einner workins but it will be using MAPI to transfer mail back and forth and it uses a for of WebDAV for calendering. It doesn’t have anyway to manage AD, AD doesn’t talk HTTP either. Perhaps I’m misunderstanding you though.