Tuesday, November 29, 2011

Migrating /etc/rpc into LDAP

If you are using any rpc service like NFS or NIS then you probably know the command rpcinfo. With rpcinfo you can get all rpc servives running on a remote host:

# rpcinfo -p dc01
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

The information about program (10000), service (portmapper) and the description (portmap, sunrpc and rpcbind) are stored in /etc/rpc:

# grep portmapper /etc/rpc
portmapper      100000  portmap sunrpc rpcbind

The information about the protocol (tcp/udp) and the port (111) are stored in /etc/services but won't matter here:

# grep 111 /etc/services
sunrpc          111/tcp    rpcbind      #SUN Remote Procedure Call
sunrpc          111/udp    rpcbind      #SUN Remote Procedure Call

If you are thinking about migrating /etc/services into LDAP - don't. Stop it. It is a real bad idea.
The information stored in /etc/rpc can be stored in LDAP. In most cases this is not necassary but possible and here is a way how to do this. To migrate the /etc/rpc file to LDAP take a look at the file first:

# cat /etc/rpc
portmapper      100000  portmap sunrpc rpcbind

The appropiate ldif for the portmapper looks like this:

# vi /etc/rpc.ldif
dn: ou=rpc,dc=example,dc=com
ou: rpc
objectClass: top
objectClass: organizationalUnit

dn: cn=portmapper,ou=rpc,dc=example,dc=com
objectClass: oncRpc
objectClass: top
cn: rpcbind
cn: portmap
cn: sunrpc
description: rpcbind
oncRpcNumber: 100000

At the top it has a organisational unit for all rpc services. You only need this once. The second object is for the portmapper itself. It contains all information shown in /etc/rpc like the service, programm and description. Now add the the file /etc/rpc.ldif to your LDAP:

# ldapadd -x -W -D 'cn=ldapadmin,dc=example,dc=com' -f /etc/rpc.ldif
Enter LDAP Password:
adding new entry "ou=rpc,dc=example,dc=com"

adding new entry "cn=portmapper,ou=rpc,dc=example,dc=com"

Configure your nsswitch.conf to look for rpc services in LDAP and disable the file lookup:

vi /etc/nsswitch.conf
rpc:            ldap
#rpc:           files

Tell your LDAP client where to look for rpc services:

# vi /etc/ldap.conf
nss_base_rpc            ou=rpc,dc=example,dc=com?one

Then check if your configuration works:

# getent rpc
portmapper      100000  rpcbind portmap sunrpc

If you disabled the file lookup and enabled the LDAP lookup only in /etc/nsswitch.conf then you should get only one entry. Now use rpcinfo to check all rpc services on a remote host again:

# rpcinfo -p dc01
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  52036
    100024    1   tcp  35779

Everything after the portmapper shows up real slow. This happens because for each entry rpcinfo tries to lookup in your LDAP for an appropiate rpc service which does not contain so far. That means that you have to create a LDAP object for each entry in /etc/rpc and add it to your LDAP.