AWS Security Blog

How to Manage Identities in Simple AD Directories

As I said in yesterday’s blog post, How to Migrate Your Microsoft Active Directory Users to Simple AD, AWS Directory Service allows you to create a standalone, highly available AWS-managed directory called Simple AD in a matter of minutes. With Simple AD, you can centrally manage user accounts and group memberships for Amazon EC2 instances joined to a domain. It also allows you to use a single set of credentials to log in across all EC2 instances as well as provide authentication to your applications. For more information about Simple AD, see What is AWS Directory Service?

In yesterday’s post, I showed you how to migrate your identities from Microsoft Active Directory to Simple AD. In today’s post, I will talk about the commands you can use to help manage those identities in Linux and Windows environments.

Important note: Before making changes to your Simple AD directory, it is important to keep snapshots as a backup. If you need to create a snapshot of your directory now, follow these instructions.

Managing Simple AD

The following commands enable you to manage the user accounts and group memberships for your Simple AD directory. The following links take you to instructions about how to install and use Active Directory Users and Computers on EC2 instances running Microsoft Windows:

Equivalent commands for Linux are described in this post.

Note: The following instructions refer to using EC2 instances running Amazon Linux. Other Linux distributions may have different commands but should be similar. Launch and join the instance to the domain by following these instructions. Connect to the instance with a user that has rights to create objects in the domain (in other words, a Domain Admin user) using any SSH client.

These are the values used in the commands in this post:

  • User name: johndoe
  • User password: Password123!
  • Domain name: example.com
  • Domain Admin user name: Administrator
  • Domain Admin password: Admin123!
  • Group name: testgroup

Note: These values are used as examples only. You should always use long and complex values for your own passwords.

Install the prerequisite packages

$ sudo yum -y install samba-common openldap-clients krb5-workstation adcli

The following instructions explain how you can:

  • Create a new user account in your domain.
  • Test for its functionality, create groups, and add members to it.
  • Perform various searches against your domain.

Create and manage users

$ net ads user ADD johndoe Password123! –C “John Doe” –S example.com

New users are disabled until they are set with a password and then set to Enabled. Create a file to set the user account to Enabled by setting the userAccountControl value for the user object to 512.

$ sudo vi uac.ldif
 
dn:    CN= johndoe ,CN=Users,DC=example,DC=com
changetype:    modify  
replace:     userAccountControl
userAccountControl:    512

Use the ldapmodify command provided by the openldap-client package to perform the change using the ldif file that was created in the previous step.

$ ldapmodify –h example.com –p 389 –D “cn=Administrator,cn=Users,dc=example,dc=com” –w Admin123! –f uac.ldif

Now that the user account is enabled and ready for use, you can test it by retrieving a Kerberos ticket from it.

$ kinit johndoe
Password for johndoe@example.com:

You can see the Kerberos ticket by running the following command.

$ klist

List all users in the domain

$ net ads user –S example.com

The following commands enable you to create groups and control the members of those groups.

Create group

$ adcli create-group testgroup –v –D example.com –z “This is a test group.”

Add user as a member of a group

$ adcli add-member testgroup johndoe –v –D example.com

Remove user from group

$ adcli remove-member testgroup johndoe –v –D example.com

The following commands are ways to perform searches against the domain, which is helpful in gathering a list based on specific attributes or retrieving information about users.

Search all users

$ net ads search '(objectCategory=user)' –S example.com

Search for a specific object

$ net ads search '(sAMAccountName=johndoe)' –S example.com

Search all groups

$ net ads search '(objectCategory=group)' –S example.com

The operations in this post use the command line instead of a UI in order to provide an easy way to automate processes via scripting. For example, the command line enables you to quickly generate a bulk number of user accounts and apply modifications to attributes to a large number of users. It also provides another way to manage identities for your Simple AD directory. The management operations I have mentioned so far in this post have been tested to work on Amazon Linux.

Conclusion

This blog post has shown you how to manage identities in a Simple AD from an EC2 instance running Linux or Windows. You can use these commands to create new users and new groups, assign members to groups, and search those objects based on specific attributes.

You can post comments below, or visit the AWS Directory Service forum to post comments and questions.

– Chen