Managing UNIX Information from a UNIX Terminal

Many organizations find it least disruptive for their UNIX administrators to continue to manage their UNIX and Linux computers directly from their own computer rather than from a Windows computer. If you plan to manage zones, UNIX user and group accounts, access privileges, roles, and role assignments from a UNIX or Linux computer, you can use the command-line tools described in this section.

Using UNIX Commands

This following table summarizes the most commonly used Centrify command line programs.

Command Location Description
adcheck /usr/share/centrifydc/bin Performs operating system, network, and Active Directory tests to verify a computer meets the system requirements for a successful installation. For example, the install.sh script runs the adcheck program.
adedit /usr/bin Starts the adedit application for interactive commands or running scripts For more information about the adedit application, see Using ADEdit.
adflush /usr/sbin Clears the computer’s agent cache. Use this after you have made changes to Active Directory accounts to remove and replace the previous values.
adgpupdate /usr/bin Retrieves group policies from the Active Directory domain controller and applies the policy settings to the local computer and current user immediately. If you do not use the command, group policies are automatically updated at a random interval between 90 and 120 minutes.
adinfo /usr/bin Displays summary or detailed diagnostic information for the managed computer.
adjoin /usr/sbin Joins the local computer to an Active Directory domain, organizational unit and zone.
adleave /usr/sbin Removes the local computer from the Active Directory domain.
adpasswd /usr/bin Changes the Active Directory account password for the current user or a specified user.
adquery /usr/bin Queries Active Directory for information about users and groups.
dzinfo /usr/bin Displays information about the effective rights and roles for the current login account.
dzdo /usr/bin Enables you to run privileged commands as root or another user.

Some UNIX commands require you to be logged on as root or as a user with root privileges. Other commands allow different operations or return different results if you are logged on as root. For the complete list of Verify Privilege Server Suite command line programs you can run on Linux and UNIX computers, see the Administrator’s Guide for Linux and UNIX. For detailed information about the options available for any command, see the man page for that command.

Using ADEdit

The Verify Privilege Server Suite Agent for *NIX also includes the Tcl-based ADEdit program. ADEdit has two basic components:

  • the adedit command-line application

  • the ade_lib Tcl library

ADEdit provides a scripting language that you can use to bind to one or more Active Directory domain controllers. You can then use ADEdit to retrieve, modify, create, and delete Active Directory objects of any kind, including Verify Privilege Server Suite specific objects such as zones, rights, and roles. For example, you used ADEdit and a sample script to create rights and a role in Defining command rights and a new role for Apache administrators.

The following sections introduce a few of the key features for ADEdit. For more information about using ADEdit commands and the ade_lib library, see the ADEdit Command Reference and Scripting Guide.

ADEdit Application

ADEdit uses Tcl as its scripting language. The Tcl scripting language includes all standard programming features, such as variables, logical operators, and predefined functions (called “procedures” in Tcl). The ADEdit application also includes a Tcl interpreter and Tcl core commands, which allow it to execute standard Tcl scripts, and a comprehensive set of its own commands designed to manage Verify Privilege Server Suite-specific objects in Active Directory.

You can use ADEdit to execute individual commands interactively or to execute sets of commands together in the form of an ADEdit script.

ade_lib Tcl Library

The ade_lib Tcl library is a collection of Tcl procedures that provide helper functions for common Centrify-specific management tasks such as listing zone information for a domain or creating an Active Directory user. You can include ade_lib in other ADEdit scripts to use its commands.

Using adedit Sample Scripts

The Verify Privilege Server Suite Agent for *NIX includes several sample adedit scripts that you can run in your evaluation environment. The scripts are in the /usr/share/centrifydc/samples/adedit directory on the UNIX or Linux computer where you have the agent installed.

To run scripts that have the .sh extension, enter /bin/sh filename.sh.

To run scripts that do not have an extension, you can just enter ./filename.

If you get the error /bin/env: bad interpreter: No such file or directory when you run a script, this means that the env command is not in the /bin directory. In most cases, it is in /usr/bin instead. To fix this, change the first line in the script to:

#!/usr/bin/env adedit

The following table lists the sample scripts and the arguments.

Script name Required arguments Optional arguments
AddUnixUsers users.txt none
ApacheAdminRole none none
computers-report -domain domain_name -u AD_user_name -sep separator -m -p password Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account. If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.
CreateChildZones -d domain_name -z parent_zone_name -u AD_user_name -p password Use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.
CreateParentZone -d domain_name -z zone_name none
GetChildZones none none
GetComputers none none
GetGroups none none
getopt-example -d domain_name -u AD_user_name -p password Use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.
Getusers none none
GetZones none none
MakeRole Role_apacheAdmin.txt none
MktDept.sh List of names, for example, Mary, Joe, and Lance none
useracc-report -domain domain_name -u AD_user_name -sep separator -m -p password Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account. If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.
user-report -z zone_distinguished_name -m -p password Use -m if you want to authenticate using the computer account credentials instead of an Active Directory user account. If using an Active Directory user account, use -p if you want to include the user's password in the command line. If you don’t specify this option, you are prompted for the password.

For more information about the sample scripts and how they can be used or modified, see the ADEdit Command Reference and Scripting Guide.