Fetch port services from LDAP server

Hi,

We have a ldap server configured with services (port) and want to know how to fetch that to the ldap clients:

cat /etc/nsswitch.conf|grep -i services

services: files sss (neither sss nor ldap works)

by doing “#getent services” I am getting only the result from /etc/services but I need to fetch all the services entry from LDAP server.

LDAP server:
Objectclass top
Objectclass Organizationunit
ou Services

Do we have to add anything on sssd.conf or ldap.conf ?

Thanks in advance!

Regards,
Sridaran G

Sridaran,
Hello!

How are you trying to fetch these attributes/values ?

Please be specific as to clients/utilities and commands/arguments, we’ll see if we can help.

– lawrence

Hello Lawrence,

Thanks for responding!

Actually we contacted a consultant and we came to know there is a limitation set on LDAP query and it will not list all the port services configured in LDAP server. So you have to specify the exact port number to get the TCP/UDP port details from LDAP server EX:
#getent services 24678 → this will search in /etc/services , if its not available then it will search in LDAP and give respective output.

We wanted to do below commands but its not possible itseems:
#getent services → to list all the services in ldap.
#getent serivces |grep -i 24678 → This is also not working but as mentioned above if we search without greping then its listing from LDAP server.

Also if we do ldapsearch its listing:

ldapsearch -x -b “ou=Services,dc=xxx,dc=xxx” “ipServicePort=10000”

extended LDIF

LDAPv3

base <ou=Services,dc=xxx,dc=xxx> with scope subtree

filter: ipServicePort=10000

requesting: ALL

portapp + tcp, Services, xxx.xxx

dn: cn=portapp+ipServiceProtocol=tcp,ou=Services,dc=xxx,dc=xxx
objectClass: top23
objectClass: ipService
cn: portMMI
ipServiceProtocol: tcp
ipServicePort: 10000

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

if we tried to search all the services w.r.t object class its not listing as the limit exceeding issue:

#ldapsearch -x -b “ou=Services,dc=xxx,dc=xxx” “objectclass=*”

extended LDIF

LDAPv3

base <ou=Services,dc=xxx,dc=xxx> with scope subtree

filter: objectclass=*

requesting: ALL

search result

search: 2
result: 11 Administrative limit exceeded

numResponses: 1

Regards,
Sridaran G

ahhh, firstly well done.

The limit you are exceeding is most likely the search result limitation imposed by the LDAP back end. Your first step in this situation should be to apply a filter to the search to reduce the enumeration of the possible results.

#~ ldapsearch -x -b “ou=Services,dc=xxx,dc=xxx” “objectclass=ipService”

If that fails you may be able to page search results to the limit imposed by the LDAP back end.

#~ ldapsearch -x -E pr=200/prompt -b “ou=Services,dc=xxx,dc=xxx” “objectclass=ipService”

(prompting you to press a key to see each set of 200 search results)

“Possibly” circumvent the search result limitation imposed by the LDAP back ends entirely, as with Active Directory and possibly others (then grep).

#~ ldapsearch -x -E pr=2147483647/noprompt -b “ou=Services,dc=xxx,dc=xxx” “objectclass=ipService”

The last is an extreme example that would likely only be useful if you had tens of thousands of ipService class objects, but is provided here to be an example for other types of broad searches, like searching a large directory for all user class objects and grepping for a specific text string found in an attribute common to that class.

#~ ldapsearch -x -E pr=2147483647/noprompt -b “ou=Users,dc=xxx,dc=xxx” “(&(objectclass=inetOrgPerson”)(displayName=*)) | grep -i Smith

Hope it helps!

– lawrence

Hello Lawrence,

Thanks alot, you are genius :slight_smile:
The greping large directory for all user class object is very useful!!!

The enumeration is working for the search which is listing the entire entries in ldap like “ldapsearch -x -E pr=200/prompt uid=*” which was very very useful but for ipService its not listing.

The output:
ldapsearch -x -E pr=200/prompt -b “ou=Services,dc=xxx,dc=xxx” “objectclass=ipService”

extended LDIF

LDAPv3

base <ou=Services,dc=xxx,dc=xxx> with scope subtree

filter: objectclass=ipService

requesting: ALL

with pagedResults control: size=200

search result

search: 2
result: 11 Administrative limit exceeded

numResponses: 1

The output with Debug mode enabled:

ldapsearch -d1 -x -E pr=200/prompt -b “ou=Services,dc=xxx,dc=xxx” “objectclass=ipService”
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP hostname:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying xx.xx.xx.xx:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x7f5feasdfad230 msgid 1
wait4msg ld 0x7asdffecad343 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f5sdfewad230 msgid 1 all 1
** ld 0x7f59sadfwd12 Connections:

  • host: hostname port: 389 (default)
    refcnt: 2 status: Connected
    last used: Fri Jan 13 13:31:41 2017

** ld 0x7f5asdfcad567 Outstanding Requests:

  • msgid 1, origid 1, status InProgress
    outstanding referrals 0, parent count 0
    ld 0x7f5asdfad567 request count 1 (abandoned 0)
    ** ld 0x7f59feasdfd567 Response Queue:
    Empty
    ld 0x7f59fasdfd567 response count 0
    ldap_chkResponseList ld 0x7f59feasdf567 msgid 1 all 1
    ldap_chkResponseList returns ld 0x7fasdfcad567 NULL
    ldap_int_select
    read1msg: ld 0x7fasfecad567 msgid 1 all 1
    ber_get_next
    ber_get_next: tag 0x30 len 12 contents:
    read1msg: ld 0x7asfsfcad567 msgid 1 message type bind
    ber_scanf fmt ({eAA) ber:
    read1msg: ld 0x7fsafdcad567 0 new referrals
    read1msg: mark request completed, ld 0x7fasdfcad567 msgid 1
    request done: ld 0x7fasdfsfd567 msgid 1
    res_errno: 0, res_error: <>, res_matched: <>
    ldap_free_request (origid 1, msgid 1)
    ldap_parse_result
    ber_scanf fmt ({iAA) ber:
    ber_scanf fmt (}) ber:
    ldap_msgfree

extended LDIF

LDAPv3

base <ou=Services,dc=xxx,dc=xxx> with scope subtree

filter: objectclass=ipService

requesting: ALL

with pagedResults control: size=200

ldap_search_ext
put_filter: “objectclass=ipService”
put_filter: default
put_simple_filter: “objectclass=ipService”
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 123 bytes to sd 3
ldap_result ld 0x7f5sadfad567 msgid -1
wait4msg ld 0x7f5asdfad567 msgid -1 (infinite timeout)
wait4msg continue ld 0x7asdfecad567 msgid -1 all 0
** ld 0x7f59fasdf567 Connections:

  • host: hostname port: 389 (default)
    refcnt: 2 status: Connected
    last used: Fri Jan 13 13:31:41 2017

** ld 0x7f5asdfd567 Outstanding Requests:

  • msgid 2, origid 2, status InProgress
    outstanding referrals 0, parent count 0
    ld 0x7f59feasf567 request count 1 (abandoned 0)
    ** ld 0x7f5asfad567 Response Queue:
    Empty
    ld 0x7f59fsafd567 response count 0
    ldap_chkResponseList ld 0x7f59fsdf567 msgid -1 all 0
    ldap_chkResponseList returns ld 0x7f59fasdfd567 NULL
    ldap_int_select
    read1msg: ld 0x7f5sadfad567 msgid -1 all 0
    ber_get_next
    ber_get_next: tag 0x30 len 12 contents:
    read1msg: ld 0x7fasdfecad567 msgid 2 message type search-result
    ber_scanf fmt ({eAA) ber:
    read1msg: ld 0x7f59fasdfd567 0 new referrals
    read1msg: mark request completed, ld 0xasdffecad230 msgid 2
    request done: ld 0x7asdfsafda1445 msgid 2
    res_errno: 11, res_error: <>, res_matched: <>
    ldap_free_request (origid 2, msgid 2)

search result

search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 11 Administrative limit exceeded
ldap_msgfree

numResponses: 1

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Regards,
Sridaran G

…hmmm. Possibly something remarkable about the object that requires a proper filter format. Just as a test, try the following to see if the issue is with the paging of the class/attribute format:

#~ ldapsearch -x -E pr=2147483647/noprompt -b “ou=Services,dc=xxx,dc=xxx” “(&(objectclass=ipService)(ipServicePort=*))”

– lawrence

Hi Lawrence,

Apologies for delay in response.

Please find the output below:

ldapsearch -x -E pr=2147483647/noprompt -b “ou=Services,dc=xxx,dc=xxx” “(&(objectclass=ipService)(ipServicePort=*))”

extended LDIF

LDAPv3

base <ou=Services,dc=xxx,dc=xxx> with scope subtree

filter: (&(objectclass=ipService)(ipServicePort=*))

requesting: ALL

with pagedResults control: size=2147483647

search result

search: 2
result: 11 Administrative limit exceeded
text: illegal pagedResults page size

numResponses: 1

Kind Regards,
Sridaran G