Hi all,
I'm currently in the process of migrating LDAP data from a really
outdated system to something a bit fresher. So, I started with the
OpenLDAP as provided by Debian, and learned that a good part of the
system management knowledge I had is outdated. So, I stared reading TFM.
... and stumbled over the section where I wanted to learn how to set up
monitoring with the cn=config configuration scheme.
Naturally, that was exactly the incentive I needed to actually start
giving back something to the community. So, I ended up playing around a
bit and googling a bit and scratching my head a lot, taking notes, and
came up with something you might want to add into the manual -- see below.
Unfortunately, the whole thing did not exactly work out as I intended,
because the crucial step insists on failing. Namely, trying to create a
monitor database fails, indicating there already is one in existence.
However, I can't find any such beast:
root@host:~/ldap# ldapsearch -Q -LLL -H ldapi:/// -Y EXTERNAL -b
'cn=config' '(|(olcDatabase=monitor)(objectClass=olcMonitorConfig))'
root@host:~/ldap#
I have actually tried to add the above data using slapadd, with slapd
shut down, and got an even more confusing error message:
root@host:~/ldap# slapadd -n 0 -l addMonitorDB.ldif
slapadd: could not add entry dn="olcDatabase=Monitor,cn=config"
(line=1): autocreation of "olcDatabase={-1}frontend" failed
_######### 46.91% eta none elapsed none spd
1.3 M/s
Closing DB...
So, what do I need to do to get my manual suggestion into working condition?
(And also allow me to monitor my all fresh LDAP instance :-)
Cheers,
Arno
-----8<--------------cut here... manual text below ------------->8------
20.1. Monitor configuration via cn=config(5)
To enable monitoring an OpenLDAP server, the "monitor" database needs
to be available and configured, also allowing read acces to it.
20.1.1. Ensure the monitor backend is available
The first step is to ensure the monitor database is part of the
running slapd process. As database backends can be build into the main
binary, or loaded dynamically, as configured, the initial step is to
check if the module is built in, is already loaded, or, if not, add it
to the configuration.
20.1.2. Check the binary for built-in modules
By running
root@host:~/ldap# slapd -VVV
@(#) $OpenLDAP: slapd (May 23 2018 04:25:19) $
Debian OpenLDAP Maintainers <pkg-openldap-devel(a)lists.alioth.debian.org>
Included static backends:
config
ldif
root@host:~/ldap#
it is easy to check if the monitor backend database is built-in; in
the above case, it is not. If it already is part of the slapd binary,
the process goes to section 20.1.5 further below.
20.1.3. Check module loader configuration
*Note* that the below examples use one particular scheme to access
LDAP with administrative, i.e. full, privileges; things may be
configured differently in other environments. (The example is correct
for a stock Debian 9 installation, by the way.)
Checking if the monitor backend is already configured to be loaded
requires querying the LDAP configuration, in particular the module
loader configuration:
root@host:~/ldap# ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -b
'cn=config' '(objectClass=olcModuleList)' olcModuleLoad
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}back_monitor
root@host:~/ldap#
In this example, we see the back_monitor module to be loaded. If a
line referencing this module was not shown, the next step is described
below. Otherwise, proceed at section 20.1.5.
20.1.4. Add the monitor module to the module loader configuration
20.1.4.1. Verify the necessary module exists.
A careful administrator will ensure the needed module is actually
available to be loaded. This is done by checking the needed file
exists in the module loader's path.
We assume the path to be correctly set up in the loaders configuration
in the first place, trusting that the package builder prepared this
step. Thus:
root@host:~/ldap# ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -b
'cn=config' '(objectClass=olcModuleList)' olcModulePath
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
olcModulePath: /usr/lib/ldap
root@host:~/ldap# ls -l /usr/lib/ldap/*monitor*
lrwxrwxrwx 1 root root 26 May 23 2018
/usr/lib/ldap/back_monitor-2.4.so.2 -> back_monitor-2.4.so.2.10.7
-rw-r--r-- 1 root root 109408 May 23 2018
/usr/lib/ldap/back_monitor-2.4.so.2.10.7
-rw-r--r-- 1 root root 976 May 23 2018 /usr/lib/ldap/back_monitor.la
lrwxrwxrwx 1 root root 26 May 23 2018 /usr/lib/ldap/back_monitor.so
-> back_monitor-2.4.so.2.10.7
root@host:~/ldap#
and voilà, things look good, the module shared object file is
available, and things are prepared for different versions coexisting
in the usual Unix/Linux way. (The author has no idea what to expect on
a windows system.)
If things did *not* look good, it would be time to check the
distribution repositories for packages with OpenLDAP modules, or
verify the build and installation process, both of which is out of
scope of this chapter.
20.1.4.2. Adding the monitor backend to the loader configuration
Assuming paths and binaries are all correct, it's now merely a matter
of adding some attributes to the module loader's configuration. This
can be done with just a few lines of LDIF:
root@host:~/ldap# cat loadMonitor.ldif
dn: cn=config,cn=module
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_monitor
root@host:~/ldap# ldapmodify -H ldapi:/// -Y EXTERNAL -f loadMonitor.ldif
should do all that is necessary. Error messages hopefully provide an
indication of what went wrong in case there is a problem.
20.1.5. Verifying the monitor backend needs to be configured
Of course, we start out being extra-careful, by checking that no
monitor backend is already configured:
root@host:~/ldap# ldapsearch -LLL -H ldapi:/// -Y EXTERNAL -b
'cn=config' '(objectClass=olcDataBaseConfig)' olcDatabase objectClass
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {2}mdb
root@host:~/ldap#
Carefully checking the output, it becomes clear no monitor database is
available as yet, so we need to continue.
20.1.6. Adding a "monitor" database
Again, a simple LDAP add operation will be sufficient:
root@host:~/ldap# cat addMonitorDB.ldif
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: monitor
olcAccess: to dn.subtree=cn=monitor by users read
root@host:~/ldap#
Naturally, the ACL(s) may be adjusted as needed.
root@host:~/ldap# ldapadd -H ldapi:/// -Y EXTERNAL -f addMonitorDB.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcDatabase=monitor,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: only one monitor database allowed
(BETTER NOT PUBLISH THE FINAL TWO LINES...)