Hello,
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
For that purpose I will be using a dedicated user such as cn=nagios,ou=users,dc=domain,dc=tld and would like it just to be able to bind to dc=domain,dc=tld and nothing else. Any recommendations?
Thanks ML
Hi,
If it's only bind and nothing else, this user won't be able to read any information concerning the monitor backend.
If you want to really really restrict this user to access unneeded data, list what attributes the check_ldap need to read, and allow your user to read only those.
-- Esteban http://gepsit.fr
On Mon, Nov 25, 2013 at 12:20 PM, ML mail mlnospam@yahoo.com wrote:
Hello,
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
For that purpose I will be using a dedicated user such as cn=nagios,ou=users,dc=domain,dc=tld and would like it just to be able to bind to dc=domain,dc=tld and nothing else. Any recommendations?
Thanks ML
Am Mon, 25 Nov 2013 03:20:55 -0800 (PST) schrieb ML mail mlnospam@yahoo.com:
Hello,
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
For that purpose I will be using a dedicated user such as cn=nagios,ou=users,dc=domain,dc=tld and would like it just to be able to bind to dc=domain,dc=tld and nothing else. Any recommendations?
As far as I remember, this check_ldap file ist still LDAPv2, you should probably try http://ltb-project.org/wiki/documentation#monitoring
-Dieter
Thanks for your answers. Btw check_ldap from nagios has a -3 option to enable LDAPv3 queries. the tlb-project.org has very nice nagios plugins, will try them out asap.
ML
On Monday, November 25, 2013 4:07 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 25 Nov 2013 03:20:55 -0800 (PST)
schrieb ML mail mlnospam@yahoo.com:
Hello,
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
For that purpose I will be using a dedicated user such as cn=nagios,ou=users,dc=domain,dc=tld and would like it just to be able to bind to dc=domain,dc=tld and nothing else. Any recommendations?
As far as I remember, this check_ldap file ist still LDAPv2, you should probably try http://ltb-project.org/wiki/documentation#monitoring
-Dieter
ML mail wrote:
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
It really depends on what you want to check.
Things which come to mind:
1. Performance data from cn=monitor
2. Count entries in your databases with noop-search control (does not scale for many entries)
3. Read syncrepl topology from cn=config to automatigally check connection to the replicas found therein and compare contextCSN values in DB suffixes.
Ciao, Michael.
Michael Strödermichael@stroeder.com schrieb am 25.11.2013 um 18:18 in
Nachricht 52938656.3000806@stroeder.com:
ML mail wrote:
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
It really depends on what you want to check.
Things which come to mind:
- Performance data from cn=monitor
Can you give an example query filter? I wonder since what version cn=monitor works reasonably. I have configured it in my "somewhat older" (TM) openLDAP server, but never could get anything reasonable out of it.
There things do not appear in the naming contexts intentionally, right?
Regards, Ulrich
- Count entries in your databases with noop-search control (does not scale
for many entries)
- Read syncrepl topology from cn=config to automatigally check connection
to the replicas found therein and compare contextCSN values in DB suffixes.
Ciao, Michael.
Am Tue, 26 Nov 2013 09:21:51 +0100 schrieb "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de:
Michael Strödermichael@stroeder.com schrieb am 25.11.2013 um 18:18 in
Nachricht 52938656.3000806@stroeder.com:
ML mail wrote:
I would like to monitor connectivity to my OpenLDAP using nagios with its check_ldap script and was wondering which minimal ACL would you recommend for that purpose?
It really depends on what you want to check.
Things which come to mind:
- Performance data from cn=monitor
Can you give an example query filter? I wonder since what version cn=monitor works reasonably. I have configured it in my "somewhat older" (TM) openLDAP server, but never could get anything reasonable out of it.
There things do not appear in the naming contexts intentionally, right?
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=backload,cn=threads,cn=monitor -s base "(objectClass=monitoredObject)" monitoredInfo
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=operations,cn=monitor' -s sub '(objectClass=monitorOperation)' monitorOpCompleted monitorOpInitiated
-Dieter
--On November 26, 2013 at 9:21:51 AM +0100 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Can you give an example query filter? I wonder since what version cn=monitor works reasonably. I have configured it in my "somewhat older" (TM) openLDAP server, but never could get anything reasonable out of it.
It has worked well since at least OpenLDAP 2.3.
--Quanah
openldap-technical@openldap.org
-
Dieter Klünter -
Esteban Pereira -
Michael Ströder -
ML mail -
Quanah Gibson-Mount -
Ulrich Windl