Using ADEdit

The Centrify UNIX agent also includes the Tcl-based ADEdit program. ADEdit has two basic components:

  • the adedit command-line application
  • the ade_lib Tcl library

ADEdit provides a scripting language that you can use to bind to one or more Active Directory domain controllers. You can then use ADEdit to retrieve, modify, create, and delete Active Directory objects of any kind, including Centrify‑specific objects such as zones, rights, and roles. For example, you used ADEdit and a sample script to create rights and a role in Defining command rights and a new role for Apache administrators.

The following sections introduce a few of the key features for ADEdit. For more information about using ADEdit commands and the ade_lib library, see the ADEdit Command Reference and Scripting Guide.

ADEdit application

ADEdit uses Tcl as its scripting language. The Tcl scripting language includes all standard programming features, such as variables, logical operators, and predefined functions (called “procedures” in Tcl). The ADEdit application also includes a Tcl interpreter and Tcl core commands, which allow it to execute standard Tcl scripts, and a comprehensive set of its own commands designed to manage Centrify‑specific objects in Active Directory.

You can use ADEdit to execute individual commands interactively or to execute sets of commands together in the form of an ADEdit script.

ade_lib Tcl library

The ade_lib Tcl library is a collection of Tcl procedures that provide helper functions for common Centrify-specific management tasks such as listing zone information for a domain or creating an Active Directory user. You can include ade_lib in other ADEdit scripts to use its commands.

Using adedit sample scripts

The Centrify UNIX agent includes several sample adedit scripts that you can run in your evaluation environment. The scripts are in the /usr/share/centrifydc/samples/adedit directory on the UNIX or Linux computer where you have the agent installed.

To run scripts that have the .sh extension, enter /bin/sh filename.sh.

To run scripts that do not have an extension, you can just enter ./filename.

Note:   If you get the error /bin/env: bad interpreter: No such file or directory when you run a script, this means that the env command is not in the /bin directory. In most cases, it is in /usr/bin instead. To fix this, change the first line in the script to:

#!/usr/bin/env adedit

The following table lists the sample scripts and the arguments.

Script name Required arguments Optional arguments

AddUnixUsers

users.txt

none

ApacheAdminRole

none

none

computers-report

-domain domain_name

-u AD_user_name

-sep separator

-m

-p password

Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account.

If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

CreateChildZones

-d domain_name

-z parent_zone_name

-u AD_user_name

-p password

Use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

CreateParentZone

-d domain_name

-z zone_name

none

GetChildZones

none

none

GetComputers

none

none

GetGroups

none

none

getopt-example

-d domain_name

-u AD_user_name

-p password

Use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

Getusers

none

none

GetZones

none

none

MakeRole

Role_apacheAdmin.txt

none

MktDept.sh

List of names, for example, Mary, Joe, and Lance

none

useracc-report

-domain domain_name

-u AD_user_name

-sep separator

-m

-p password

Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account.

If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

user-report

-z zone_distinguished_name

-m

-p password

Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account.

If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

For more information about the sample scripts and how they can be used or modified, see the ADEdit Command Reference and Scripting Guide.