This page outlines how to perform common tasks with active directory
NOTE: This page is a work in progress and is subject to change without warning
Changing Passwords
Locking/Unlocking Accounts
Editing user attributes
User attributes can be changed by editing a users LDAP record. The easiest way to do this interactively is with either samba-tool user edit <username> on a domain controller or ldapvi cn=<username> if editing from any other machine.
Users can also be batch edited with ldapmodify. See below for details.
Important attributes that might need to be changed are:
Field |
Description |
displayName |
automatically generated as "<givenName> <sn>" |
givenName |
Firstname |
sn |
Surname |
gecos |
Stores the user's real name on *NIX systems, defaults to be the same as displayName |
LoginShell |
User's *NIX shell, defaults to /bin/zsh |
gidNumber |
The user's primary POSIX group |
ldap tools
LDAP access in AD environments requires authentication to work properly, use -x -W -D "<your_username>@ad.ucc.gu.uwa.edu.au" to authenticate the query.
fixing email
If the user has their email in their mail folder in their homedir rather than the general mail spool use ldapvi to fix where it looks for their mailbox ldapvi -b dc=ad,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au --host samson.AD.UCC.GU.UWA.EDU.AU -Y GSSAPI
rebind: y authorization name: <leave blank>
find the user, then add their mail location, something like: otherMailbox: mbox:/home/ucc/<username>/Mail:INBOX=/home/ucc/<username>/Mail/inbox