Create user on Active Directory from Linux.

Posted on Wed 12 June 2013 by Pavlo Khmel

Manage Active Directory from Linux.

Changes on Windows Server 2008 r2

Add new role - Active Directory Certificate Services in Windows Server 2008 R2
http://esihere.wordpress.com/2012/01/17/a-complete-guide-on-active-directory-certificate-services-in-windows-server-2008-r2/

Create sertificate - LDAP over SSL (LDAPS) Certificate
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Linux (CentOS)

Install adtool

wget http://gp2x.org/adtool/adtool-1.3.3.tar.gz
tar xvzf adtool-1.3.3.tar.gz
cd adtool-1.3.3
./configure
make
make install

/usr/local/etc/adtool.cfg

uri ldaps://dc1.ad.test.local
binddn cn=Administrator,cn=Users,dc=ad,dc=test,dc=local
bindpw xxxxxxxxx
searchbase dc=ad,dc=test,dc=local

/etc/openldap/ldap.conf

URI ldap://127.0.0.1/
BASE dc=example,dc=com
TLS_REQCERT allow

Test list and search examples

adtool search ou Users
adtool list cn=Users,dc=ad,dc=test,dc=local
adtool list ou=Users,ou=MYNAME,dc=ad,dc=test,dc=local

Real example - Create new user:

adtool useradd testuser ou=Users,ou=MYNAME,dc=ad,dc=test,dc=local
adtool userrename testuser 'First-Name Lastname'
adtool setpass 'First-Name Lastname' 'xxxxxxxxx'
adtool userunlock 'First-Name Lastname'
adtool attributereplace 'First-Name Lastname' userPrincipalName testuser
adtool attributereplace 'First-Name Lastname' sAMAccountName testuser
adtool attributereplace 'First-Name Lastname' mail testuser@test.com
adtool attributereplace 'First-Name Lastname' givenName 'First-Name'
adtool attributereplace 'First-Name Lastname' sn 'Lastname'
adtool attributereplace 'First-Name Lastname' displayName 'First-Name Lastname'
# Get user attribut
adtool attributeget testuser mail

Explanation

# Create user

adtool useradd testuser ou=Users,ou=MYNAME,dc=ad,dc=emgs,dc=local
adtool userrename testuser 'First-Name Lastname'

# Create and rename because "Name Length Limits from the Schema":
# backward compatibility the limit is 20 characters for login name.
# http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability%28v=ws.10%29.aspx

# Set password and unlock
adtool setpass "First-Name Lastname" 'xxxxxxxxx'
adtool userunlock "First-Name Lastname"

# Login name
adtool attributereplace "First-Name Lastname" userPrincipalName testuser
# Logon Name (pre-Windows 2000)
adtool attributereplace "First-Name Lastname" sAMAccountName testuser

# Email
adtool attributereplace "First-Name Lastname" mail testuser@test.com

# First name and Last name
adtool attributereplace "First-Name Lastname" givenName "First-Name"
adtool attributereplace "First-Name Lastname" sn "Lastname"

# Display name
adtool attributereplace "First-Name Lastname" displayName "First-Name Lastname"

Useful links:
List of attributes to modify: http://www.kouti.com/tables/userattributes.htm
adtool home page: http://gp2x.org/adtool/