Pages

Saturday, December 3, 2011

Migrating /etc/services into LDAP

Before you continue reading you should know that migrating /etc/services into LDAP may refuses your system to boot. I had plenty of trouble with /etc/services in LDAP, that is why I don't use it anymore. The next point is that you may use different operating systems. In this case the content of /etc/services may differ. When I take a look at /etc/services in Slackware, I have three entrys for port 1: 

# more /etc/services
...
rtmp              1/ddp    #Routing Table Maintenance Protocol
tcpmux            1/tcp    #TCP Port Service Multiplexer
tcpmux            1/udp    #TCP Port Service Multiplexer
...

In Solaris 10 I have only one entry for port 1:

# more /etc/services
...
tcpmux          1/tcp
...

What is right and what is wrong now?
Nevertheless, here is a way to put /etc/services into LDAP. I will use ssh as an example, in most cases it runs on all systems on port 22. First create a ldif file like this:

# vi services.ldif
dn: ou=services,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: services

dn: cn=ssh+ipServiceProtocol=tcp,ou=services,dc=example,dc=com
objectClass: ipService
objectClass: top
cn: ssh
ipServicePort: 22
ipServiceProtocol: tcp

dn: cn=ssh+ipServiceProtocol=udp,ou=services,dc=example,dc=com
objectClass: ipService
objectClass: top
cn: ssh
ipServicePort: 22
ipServiceProtocol: udp

It contains an organizational unit and two objects for ssh for udp and tcp on port 22. Then add the content to your DIT:

# ldapadd -x -W -D 'cn=ldapadmin,dc=example,dc=com' -f services.ldif
Enter LDAP Password:
adding new entry "ou=services,dc=example,dc=com"

adding new entry "cn=ssh+ipServiceProtocol=tcp,ou=services,dc=example,dc=com"

adding new entry "cn=ssh+ipServiceProtocol=udp,ou=services,dc=example,dc=com"

Nect uncomment the ssh lines in /etc/services:

# vi /etc/services
...
#ssh             22/tcp    #Secure Shell Login
#ssh             22/udp    #Secure Shell Login
...

Now test that your system can't resolve port 22 with ssh:

# getent services | grep ssh | grep 22

With the command above you shouldn't get any output. Now prepare your system to lookup for services in your LDAP. First tell your system where to look for services in your LDAP by adding the nss_base_services line into /etc/ldap.conf:

# vi /etc/ldap.conf
...
nss_base_services       ou=services,dc=example,dc=com?one
...

Then tell your system to look for services in your LDAP by modifying /etc/nsswitch.conf:

# vi /etc/nsswitch.conf
...
services:       files ldap
...

Your system is now ready. Give it a try with the getent command from above:

# getent services | grep ssh | grep 22
ssh                   22/tcp
ssh                   22/udp

That's it. As I told you, I don't recommend migrating /etc/services in LDAP. Maybe it was just me but I had lots of trouble with this.

No comments:

Post a Comment