Hello all,
I have a Solaris 10 system that queries a clients openldap server to deliver a certain service and the client is complaining that my system sometimes denies services to clients. Well my system only denies service to clients if the openldap system from the customer fails to answer.
In this sense I tried to write a script to monitor the openldap server and its responsiveness but ldapsearch client in Solaris 10 doesn't work as I expected :(
For example, all ok:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 01:51:53 2008
ldap_init( 192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top) version: 1 dn: namingContexts: nodeName=XXXXX 1 matches
Now imagine that the ldap server goes down:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 02:11:04 2008
ldap_init( 192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top) ldap_search: Can't connect to the LDAP server - Connection refused
Now imagine that the machine hosting LDAP goes down or a problem somewhere in the network occurs or a firewall blocks traffic (timeout):
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 02:11:04 2008
ldap_init( 192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top)
And it just stays here forever. The -l flag only works after the search is initiated server side. There isn't a switch for a connection timeout limit. With this behaviour I can't test this as I imagined.
Maybe some of you already have a monitoring script?
Thanks in advance for any tip!
PS: The script I wrote initially:
############################################################## #!/bin/bash LDAP_HOST=127.0.0.1:10000 POOLING_INTERVAL=5 LOGFILE=/var/log/ldap_watchdog.log
#
echo "Watchdog started at `date`" >> $LOGFILE
while `/bin/true`; do ldapsearch -v -b '' -s base -h $LDAP_HOST 'objectclass=top' namingContexts if [ $? -ne 0 ]; then echo "`date`: Could not establish connection to LDAP server"
$LOGFILE
fi sleep $POOLING_INTERVAL done
##############################################################
Alexandre Vieira - nullpt@gmail.com
http://www.tildeslash.com/monit/
Alexandre Vieira schrieb:
Hello all,
I have a Solaris 10 system that queries a clients openldap server to deliver a certain service and the client is complaining that my system sometimes denies services to clients. Well my system only denies service to clients if the openldap system from the customer fails to answer.
In this sense I tried to write a script to monitor the openldap server and its responsiveness but ldapsearch client in Solaris 10 doesn't work as I expected :(
For example, all ok:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 http://192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 01:51:53 2008
ldap_init( 192.168.1.102:7323 http://192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top) version: 1 dn: namingContexts: nodeName=XXXXX 1 matches
Now imagine that the ldap server goes down:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 http://192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 02:11:04 2008
ldap_init( 192.168.1.102:7323 http://192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top) ldap_search: Can't connect to the LDAP server - Connection refused
Now imagine that the machine hosting LDAP goes down or a problem somewhere in the network occurs or a firewall blocks traffic (timeout):
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 http://192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 02:11:04 2008
ldap_init( 192.168.1.102:7323 http://192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top)
And it just stays here forever. The -l flag only works after the search is initiated server side. There isn't a switch for a connection timeout limit. With this behaviour I can't test this as I imagined.
Maybe some of you already have a monitoring script?
Thanks in advance for any tip!
PS: The script I wrote initially:
############################################################## #!/bin/bash LDAP_HOST=127.0.0.1:10000 http://127.0.0.1:10000 POOLING_INTERVAL=5 LOGFILE=/var/log/ldap_watchdog.log
#
echo "Watchdog started at `date`" >> $LOGFILE
while `/bin/true`; do ldapsearch -v -b '' -s base -h $LDAP_HOST 'objectclass=top' namingContexts if [ $? -ne 0 ]; then echo "`date`: Could not establish connection to LDAP server" >> $LOGFILE fi sleep $POOLING_INTERVAL done
##############################################################
Alexandre Vieira - nullpt@gmail.com mailto:nullpt@gmail.com
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.4111 from 12.06.2008 Virus news: www.antiviruslab.com
"Alexandre Vieira" nullpt@gmail.com writes:
Hello all,
I have a Solaris 10 system that queries a clients openldap server to deliver a certain service and the client is complaining that my system sometimes denies services to clients. Well my system only denies service to clients if the openldap system from the customer fails to answer.
In this sense I tried to write a script to monitor the openldap server and its responsiveness but ldapsearch client in Solaris 10 doesn't work as I expected :(
For example, all ok:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 01:51:53 2008
You should search the monitor backend, with something like ldapsearch -b "cn=connections,cn=monitor" -s sub
-Dieter
"Dieter Kluenter" dieter@dkluenter.de writes:
"Alexandre Vieira" nullpt@gmail.com writes:
Hello all,
I have a Solaris 10 system that queries a clients openldap server to deliver a certain service and the client is complaining that my system sometimes denies services to clients. Well my system only denies service to clients if the openldap system from the customer fails to answer.
In this sense I tried to write a script to monitor the openldap server and its responsiveness but ldapsearch client in Solaris 10 doesn't work as I expected :(
For example, all ok:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 01:51:53 2008
You should search the monitor backend, with something like ldapsearch -b "cn=connections,cn=monitor" -s sub
Let me elaborate on this a bit further:
ldapsearch -b "cn=connections,cn=monitor" -s sub monitorcounter gives information on following items
monitorConnectionNumber: monitorConnectionOpsReceived: monitorConnectionOpsExecuting: monitorConnectionOpsPending: monitorConnectionOpsCompleted: monitorConnectionGet: monitorConnectionRead: monitorConnectionWrite:
in addtion to connections you may search cn=waiters,cn=monitor, which gives information on waiters of all operations.
-Dieter
regarding to your description,
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 http://192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 02:11:04 2008
ldap_init( 192.168.1.102:7323 http://192.168.1.102:7323, 389 ) filter pattern: objectclass=top returning: namingContexts filter is: (objectclass=top)
And it just stays here forever. The -l flag only works after the search is initiated server side. There isn't a switch for a connection timeout limit. With this behaviour I can't test this as I imagined.
you cant search anything with ldapsearch if the remote server is down or traffic is temporariliy blocked by packet-filter because ldapsearch hangs til next ice-age.
in this case it doesnt matter at all what kind of searchfilter is used.
the problem ist the reachabilty of the remote machine as far as you cant specify any timeout on your solaris ldapsearch-tool.
if you want to stay on trying a scripting solution, maybe this is worse an attempt: nmap <host> | grep 389 <or whatever port you use> oder netstat <host> -pan | grep :389 | grep LISTEN if [ $? -eq 0] then ldapsearch bla... else [ do nothing ] fi
on the other side you can use monit to watch the remote slapd, but if the remote monit traffic is blocked by packet-filter too you got the same situation - remote machine is not reachable <for you>
Dieter Kluenter schrieb:
"Dieter Kluenter" dieter@dkluenter.de writes:
"Alexandre Vieira" nullpt@gmail.com writes:
Hello all,
I have a Solaris 10 system that queries a clients openldap server to deliver a certain service and the client is complaining that my system sometimes denies services to clients. Well my system only denies service to clients if the openldap system from the customer fails to answer.
In this sense I tried to write a script to monitor the openldap server and its responsiveness but ldapsearch client in Solaris 10 doesn't work as I expected :(
For example, all ok:
bash# ldapsearch -v -b '' -s base -h 192.168.1.102:7323 'objectclass=top' namingContexts ldapsearch: started Fri Jun 13 01:51:53 2008
You should search the monitor backend, with something like ldapsearch -b "cn=connections,cn=monitor" -s sub
Let me elaborate on this a bit further:
ldapsearch -b "cn=connections,cn=monitor" -s sub monitorcounter gives information on following items
monitorConnectionNumber: monitorConnectionOpsReceived: monitorConnectionOpsExecuting: monitorConnectionOpsPending: monitorConnectionOpsCompleted: monitorConnectionGet: monitorConnectionRead: monitorConnectionWrite:
in addtion to connections you may search cn=waiters,cn=monitor, which gives information on waiters of all operations.
-Dieter
____________ Virus checked by G DATA AntiVirusKit Version: AVK 18.4116 from 13.06.2008 Virus news: www.antiviruslab.com
openldap-technical@openldap.org
-
Alexandre Vieira -
Dieter Kluenter -
Oliver Liebel