Hi!
I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor. Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I gave it a try.
Unfortunately I don’t have a large scale OpenLDAP environment to verify this functionality on so I need your help :) Is it working and can it be improved?
This is how it works: The contextCSN is verified on all servers within the same environment. See attached image.
As always… I appreciate all feedback I can get and let me know if you have any suggestions on new features or something else that can approve this monitoring application.
Project page: http://cnmonitor.sourceforge.net
Freshmeat: http://freshmeat.net/projects/cnmonitor
Best Regards - Andreas
Hi Andreas!
We must have missed your post a year ago, but thanks a lot for this one. As we sometimes experience trouble in our OpenLDAP repication, we do appreciate a tool which could visualize the current replication status, as seen in the screenshot, so your tool immediately caught me attention and I spend an hour to install it today.
I also spent another hour looing at the two PDF guides; just ... sorry if I overlooked anything ... I cannot get to the page your are showing in your screenshot. I don't have a "Replication" button at all in my options.
We have configured two servers which we can see in the tool. We can do queries and we get a nice status page. All fine. But I guess I will have to put somewhere in the config the information that those two servers are replicating each other, don't I? Just I cannot find any example how to do that.
Regards, Torsten
On Mon, 24 Jan 2011 18:55:03 +0100, Andreas Andersson zreoxx@gmail.com wrote:
Hi!
I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor. Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I
gave
it a try.
Unfortunately I don’t have a large scale OpenLDAP environment to verify this functionality on so I need your help :) Is it working and can it be improved?
This is how it works: The contextCSN is verified on all servers within the same environment.
See
attached image.
As always… I appreciate all feedback I can get and let me know if you
have
any suggestions on new features or something else that can approve this monitoring application.
Project page: http://cnmonitor.sourceforge.net
Freshmeat: http://freshmeat.net/projects/cnmonitor
Best Regards - Andreas
Hi Torsten!
Your servers should be recognized as openldap. * Check the Environment page if it says "OpenLDAP". * Click on one of the servers to open the server view page and you should now see two more buttons. One saying Cache in the middle and replication (to the right).
It would be interesting to know how much CN=Monitor recognize your servers as OpenLDAP because that should be enough to show these options. Can you fetch monitoring information from base suffix cn=monitor (CN=Monitor fetches statistics from this base suffix) for OpenLDAP.
Yes the documentation can and will be improved until the next release and the buttons are a bit hidden in the server view.
To view replication information you don't need to configure anything more in CN=Monitor than one environment with your servers if you are running on ports 389 and 636 and it allows anonymous access. In my example I'm using a monitoring user.
CN=Monitor configuration: <environment> <name>Test OpenLDAP</name> <dn>cn=CNMonitor User,dc=domain,dc=com</dn> <password>secret</password> <server> <name>10.0.1.14</name> </server> <server> <name>10.0.1.15</name> </server> </environment>
This user is allowed access to both cn=monitor and cn=config suffixes: # allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none
# enable monitoring database config
# allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none
Let me know if this helps!
Regards - Andreas
On Jan 25, 2011, at 8:58 PM, Torsten Schlabach (Tascel eG) wrote:
Hi Andreas!
We must have missed your post a year ago, but thanks a lot for this one. As we sometimes experience trouble in our OpenLDAP repication, we do appreciate a tool which could visualize the current replication status, as seen in the screenshot, so your tool immediately caught me attention and I spend an hour to install it today.
I also spent another hour looing at the two PDF guides; just ... sorry if I overlooked anything ... I cannot get to the page your are showing in your screenshot. I don't have a "Replication" button at all in my options.
We have configured two servers which we can see in the tool. We can do queries and we get a nice status page. All fine. But I guess I will have to put somewhere in the config the information that those two servers are replicating each other, don't I? Just I cannot find any example how to do that.
Regards, Torsten
On Mon, 24 Jan 2011 18:55:03 +0100, Andreas Andersson zreoxx@gmail.com wrote:
Hi!
I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor. Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I
gave
it a try.
Unfortunately I don’t have a large scale OpenLDAP environment to verify this functionality on so I need your help :) Is it working and can it be improved?
This is how it works: The contextCSN is verified on all servers within the same environment.
See
attached image.
As always… I appreciate all feedback I can get and let me know if you
have
any suggestions on new features or something else that can approve this monitoring application.
Project page: http://cnmonitor.sourceforge.net
Freshmeat: http://freshmeat.net/projects/cnmonitor
Best Regards - Andreas
Hi Andreas!
Your servers should be recognized as openldap.
- Check the Environment page if it says "OpenLDAP".
- Click on one of the servers to open the server view page and you
should
now see two more buttons.
Yes, that works now. But I still didn't see any replication agreements.
So I digged a bit into the code. I first thought the problem may be that my monitoring user cannot read cn=config, but it can.
I originally used version 2.0.4, but I also checked the current SVN version; it still has the same (and possibly other) problems.
In your function openldap_setBackEndDatabases you are querying for objectclass=olcBdbConfig. That means you will be missing several databases, because you are only asking for BDB databases. In our example, we are using HDB databases. So changing this to objectclass=olcHdbConfig made our replication agreements visible all of a sudden.
But I guess this is not how to do it as there may be many other backend types.
Also in our setup, we are replicating the cn=config database itself. It also isn't recognized because it's neither a BDB nor HDB database.
So maybe you should look for some generic way of doing this here.
Interesting enough, on the query page, you recognize all our backends, including cn=monitor and cn=config. I didn't compare the code, though.
Let me know if you need more information.
The other problem I found (in version 2.0.4):
I made it recognize the two DITs / backends we have. Both of them are replicated. But I can only get replication information for the first one. I was unable to compare this to the latest development version because in the latest development version I cannot make the "Replication" page show up. It't giving me an error message "Database not configured" without any further information on the server overview page. Will worry about that in a next step. Are there any changes in the configuration needed between 2.0.4 and the current SVN version or may the trunk just be broken?
Regards, Torsten
On Tue, 25 Jan 2011 22:40:44 +0100, Andreas Andersson zreoxx@gmail.com wrote:
Hi Torsten!
Your servers should be recognized as openldap.
- Check the Environment page if it says "OpenLDAP".
- Click on one of the servers to open the server view page and you
should
now see two more buttons. One saying Cache in the middle and replication (to the right).
It would be interesting to know how much CN=Monitor recognize your
servers
as OpenLDAP because that should be enough to show these options. Can you fetch monitoring information from base suffix cn=monitor (CN=Monitor fetches statistics from this base suffix) for OpenLDAP.
Yes the documentation can and will be improved until the next release
and
the buttons are a bit hidden in the server view.
To view replication information you don't need to configure anything
more
in CN=Monitor than one environment with your servers if you are running
on
ports 389 and 636 and it allows anonymous access. In my example I'm using a monitoring user.
CN=Monitor configuration:
<environment> <name>Test OpenLDAP</name> <dn>cn=CNMonitor User,dc=domain,dc=com</dn> <password>secret</password> <server> <name>10.0.1.14</name> </server> <server> <name>10.0.1.15</name> </server> </environment>
This user is allowed access to both cn=monitor and cn=config suffixes: # allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none
# enable monitoring database config
# allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none
Let me know if this helps!
Regards - Andreas
On Jan 25, 2011, at 8:58 PM, Torsten Schlabach (Tascel eG) wrote:
Hi Andreas!
We must have missed your post a year ago, but thanks a lot for this
one.
As we sometimes experience trouble in our OpenLDAP repication, we do appreciate a tool which could visualize the current replication status, as seen in the screenshot, so your tool immediately caught me attention
and
I spend an hour to install it today.
I also spent another hour looing at the two PDF guides; just ... sorry
if
I overlooked anything ... I cannot get to the page your are showing in your screenshot. I don't have a "Replication" button at all in my options.
We have configured two servers which we can see in the tool. We can do queries and we get a nice status page. All fine. But I guess I will
have
to put somewhere in the config the information that those two servers are replicating each other, don't I? Just I cannot find any example how to
do
that.
Regards, Torsten
On Mon, 24 Jan 2011 18:55:03 +0100, Andreas Andersson
wrote:
Hi!
I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor. Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I
gave
it a try.
Unfortunately I don’t have a large scale OpenLDAP environment to
verify
this functionality on so I need your help :) Is it working and can it be improved?
This is how it works: The contextCSN is verified on all servers within the same environment.
See
attached image.
As always… I appreciate all feedback I can get and let me know if you
have
any suggestions on new features or something else that can approve
this
monitoring application.
Project page: http://cnmonitor.sourceforge.net
Freshmeat: http://freshmeat.net/projects/cnmonitor
Best Regards - Andreas
Torsten Schlabach (Tascel eG) wrote:
Hi Andreas!
Your servers should be recognized as openldap.
- Check the Environment page if it says "OpenLDAP".
- Click on one of the servers to open the server view page and you
should
now see two more buttons.
Yes, that works now. But I still didn't see any replication agreements.
So I digged a bit into the code. I first thought the problem may be that my monitoring user cannot read cn=config, but it can.
I originally used version 2.0.4, but I also checked the current SVN version; it still has the same (and possibly other) problems.
In your function openldap_setBackEndDatabases you are querying for objectclass=olcBdbConfig. That means you will be missing several databases, because you are only asking for BDB databases. In our example, we are using HDB databases. So changing this to objectclass=olcHdbConfig made our replication agreements visible all of a sudden.
But I guess this is not how to do it as there may be many other backend types.
You probably should be searching for olcDatabaseConfig instead, which is the common superclass of all DB types.
On 24 jan 2011, at 18:55, Andreas Andersson wrote:
As always… I appreciate all feedback I can get
This actually looks quite decent: it needs some tinkering if you do not follow the installation guide (I don't want my /etc directory cluttered with software installed by me, for FreeBSD that's /usr/local/etc), but it's nice and easy to use.
Hi!
Thanks. Made a note about the config directory. I've focused on following the FHS: http://www.pathname.com/fhs/ As it is a symlink it should be possible to put the config directory wherever you want (I guess that's what you did).
How about replication verification? Can you confirm that its working?
Regards - Andreas
On Jan 26, 2011, at 10:19 AM, Peter Boosten wrote:
On 24 jan 2011, at 18:55, Andreas Andersson wrote:
As always… I appreciate all feedback I can get
This actually looks quite decent: it needs some tinkering if you do not follow the installation guide (I don't want my /etc directory cluttered with software installed by me, for FreeBSD that's /usr/local/etc), but it's nice and easy to use.
-- Peter Boosten http://www.boosten.org
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
How about replication verification? Can you confirm that its working?
No, not yet, but I don't have heavy replication going on. I'll try to force some updates to the DIT.
The only thing I'm struggling with is the screen refresh: somehow I'm not able to keep a setting after switching menus.
One other thing (maybe it's a firefox thing): when I open the configuration screen, and don't actually change nothing, then it's impossible to close that screen again.
But after running a couple of hours I'm very charmed of this tool. Keep up the good work.
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
How about replication verification? Can you confirm that its working?
Ok, looking at the screenshot you sent in your first email, replication settings don't seem to be recognized in my setup (you have an error below the selected server, showing the server whom is replicated to, but in my setup there's no such arrow, nor another server).
Any ideas?
On 26 jan 2011, at 19:59, Peter Boosten wrote:
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
How about replication verification? Can you confirm that its working?
Ok, looking at the screenshot you sent in your first email, replication settings don't seem to be recognized in my setup (you have an error below the selected server, showing the server whom is replicated to, but in my setup there's no such arrow, nor another server).
Any ideas?
After some testing there's actually more not working, for instance: the collectsummary.php script doesn;t return any values (all 0), ut if I try the ldapquery manually, it actually gives non-zero results:
ra% ldapsearch -x -D "cn=root,dc=boosten,dc=org" -W -b "cn=operations,cn=monitor" -LLL '(cn=modify)' monitorOpCompleted Enter LDAP Password: dn: cn=Modify,cn=Operations,cn=Monitor monitorOpCompleted: 19
and from the cli log:
0 ) modify - Summary Value: 0 0 ) modify - Value NOT Stored to db as it is empty
I'm on OpenLDAP 2.4.23, on FreeBSD.
Hi!
I have checked the replication verification a little bit more.
First of all. I'm using 2.4.21 and you need to allow reading to both cn=monitor and cn=config. So using a monitoring user is important here. My slapd.conf configuration:
# syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 5 1
# syncrepl directive syncrepl rid=001 provider=ldap://host2 bindmethod=simple binddn="cn=Manager,dc=domain,dc=com" credentials=secret searchbase="dc=domain,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
mirrormode on
# enable monitoring database monitor # allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none # enable monitoring database config # allow onlu rootdn to read the monitor access to * by dn.exact="cn=CNMonitor User,dc=domain,dc=com" read by * none
And the replication must update the contextCSN attribute. You can verify this by: ldapsearch -x -h <host> -D "<monitoring user>" -W -s base -b "dc=domain,dc=com" contextCSN
In my example the result is: dn: dc=domain,dc=com contextCSN: 20100823161844.565867Z#000000#000#000000 contextCSN: 20100825160932.333710Z#000000#001#000000
Hope this helps.
So as long as you can retrieve this information using the same monitoring user as configured in CN=Monitor you should retrieve replication verification info.
Regards - Andreas
On Jan 26, 2011, at 10:30 PM, Peter Boosten wrote:
On 26 jan 2011, at 19:59, Peter Boosten wrote:
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
How about replication verification? Can you confirm that its working?
Ok, looking at the screenshot you sent in your first email, replication settings don't seem to be recognized in my setup (you have an error below the selected server, showing the server whom is replicated to, but in my setup there's no such arrow, nor another server).
Any ideas?
After some testing there's actually more not working, for instance: the collectsummary.php script doesn;t return any values (all 0), ut if I try the ldapquery manually, it actually gives non-zero results:
ra% ldapsearch -x -D "cn=root,dc=boosten,dc=org" -W -b "cn=operations,cn=monitor" -LLL '(cn=modify)' monitorOpCompleted Enter LDAP Password: dn: cn=Modify,cn=Operations,cn=Monitor monitorOpCompleted: 19
and from the cli log:
0 ) modify - Summary Value: 0 0 ) modify - Value NOT Stored to db as it is empty
I'm on OpenLDAP 2.4.23, on FreeBSD.
-- Peter Boosten http://www.boosten.org
On 31-1-2011 20:20, Andreas Andersson wrote:
and you need to allow reading to both cn=monitor and cn=config
Andreas,
Giving my monitoring user read access to cn=config indeed did the trick. Thanks.
Peter
openldap-technical@openldap.org
-
Andreas Andersson -
Howard Chu -
Peter Boosten -
Torsten Schlabach (Tascel eG)