User Account Synchronisation

This note describes how user accounts are synchronised between our Microsoft Active Directory server and the Linux system.

System requirements

The Linux command ldapsearch should be available with appropriate values included in the configuration file /etc/ldap.conf. Details on installation are available elsewhere.

A development environment is also needed since there are some simple C programmes to compile. Most of the programming is done using shell scripts. A good wokring relation with the Active Directory administrator is highly desirable.

Outline

Account synchronisation is achieved by periodically getting a list of registered users from Active Directory, extracting user information to identify new accounts and creating the accounts.

The script will also perform some mail related tasks and delete users that are no longer supported by Active Directory. For this exercise users are split into two groups, staff and students, this reflects the structure of the Active Directory hierarchy.

Periodic operation is achieved by invoking the script from a crontab entry. On our system the script is run once every half hour during office hours.

On our system all the scripts are in the directory /useradmin/ado but there is no reason why they should not be in any suitable location.

The system is run from two scripts getaccounts and makeusers.