Overview
Use the OpenLDAP integration to get metrics from the cn=Monitor backend of your OpenLDAP servers.
Setup
Installation
The OpenLDAP integration is packaged with the Agent. To start gathering your OpenLDAP metrics:
- Have the
cn=Monitor backend configured on your OpenLDAP servers. - Install the Agent on your OpenLDAP servers.
Configuration
Prepare OpenLDAP
If the cn=Monitor backend is not configured on your server, follow these steps:
Check if monitoring is enabled on your installation:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
If you see a line with olcModuleLoad: back_monitor.la, monitoring is already enabled, go to step 3.
Enable monitoring on your server:
cat <<EOF | sudo ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_monitor.la
EOF
Create an encrypted password with slappasswd.
Add a new user:
cat <<EOF | ldapadd -H ldapi:/// -D <YOUR BIND DN HERE> -w <YOUR PASSWORD HERE>
dn: <USER_DISTINGUISHED_NAME>
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: <COMMON_NAME_OF_THE_NEW_USER>
description: LDAP monitor
userPassword:<PASSWORD>
EOF
Configure the monitor database:
cat <<EOF | sudo ldapadd -Y EXTERNAL -H ldapi:///
dn: olcDatabase=Monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: Monitor
olcAccess: to dn.subtree='cn=Monitor' by dn.base='<USER_DISTINGUISHED_NAME>' read by * none
EOF
Host
To configure this check for an Agent running on a host:
Metric collection
Edit your openldap.d/conf.yaml in the conf.d folder at the root of your Agent’s configuration directory. See the sample openldap.d/conf.yaml for all available configuration options.
init_config:
instances:
## @param url - string - required
## Full URL of your ldap server. Use `ldaps` or `ldap` as the scheme to
## use TLS or not, or `ldapi` to connect to a UNIX socket.
#
- url: ldaps://localhost:636
## @param username - string - optional
## The DN of the user that can read the monitor database.
#
username: "<USER_DISTINGUISHED_NAME>"
## @param password - string - optional
## Password associated with `username`
#
password: "<PASSWORD>"
Restart the Agent.
Log collection
Available for Agent versions >6.0
Collecting logs is disabled by default in the Datadog Agent. Enable it in your datadog.yaml file:
Add this configuration block to your openldap.d/conf.yaml file to start collecting your OpenLDAP logs:
logs:
- type: file
path: /var/log/slapd.log
source: openldap
service: "<SERVICE_NAME>"
Change the path and service parameter values and configure them for your environment. See the sample openldap.d/conf.yaml for all available configuration options.
Restart the Agent.
Containerized
Metric collection
For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.
| Parameter | Value |
|---|
<INTEGRATION_NAME> | openldap |
<INIT_CONFIG> | blank or {} |
<INSTANCE_CONFIG> | {"url":"ldaps://%%host%%:636","username":"<USER_DISTINGUISHED_NAME>","password":"<PASSWORD>"} |
Log collection
Available for Agent versions >6.0
Collecting logs is disabled by default in the Datadog Agent. To enable it, see Kubernetes Log Collection.
| Parameter | Value |
|---|
<LOG_CONFIG> | {"source": "openldap", "service": "<SERVICE_NAME>"} |
Validation
Run the Agent’s status subcommand and look for openldap under the Checks section.
Compatibility
The check is compatible with all major platforms.
Data Collected
Metrics
openldap.bind_time
(gauge) | Time it takes the check to bind to the OpenLDAP server
Shown as second |
openldap.connections.current
(gauge) | Current number of active connections
Shown as connection |
openldap.connections.max_file_descriptors
(gauge) | Maximum number of file descriptors
Shown as file |
openldap.connections.total
(count) | Total number of connections since the server started
Shown as connection |
openldap.operations.completed
(count) | Number of operations completed by the server tagged by operation type
Shown as operation |
openldap.operations.completed.total
(count) | Total number of operations completed by the server
Shown as operation |
openldap.operations.initiated
(count) | Number of operations initiated by the server tagged by operation type
Shown as operation |
openldap.operations.initiated.total
(count) | Total number of operations initiated by the server
Shown as operation |
openldap.query.duration
(gauge) | Time it takes to execute the query
Shown as second |
openldap.query.entries
(gauge) | Number of entries returned by the query
Shown as entry |
openldap.statistics.bytes
(count) | Number of bytes sent by the server
Shown as byte |
openldap.statistics.entries
(count) | Number of entries sent by the server
Shown as entry |
openldap.statistics.pdu
(count) | Number of PDU packets sent by the server
Shown as packet |
openldap.statistics.referrals
(count) | Number of referrals sent by the server
Shown as message |
openldap.threads
(gauge) | Number of threads started by the server tagged by state
Shown as thread |
openldap.threads.max
(gauge) | Maximum number of threads as configured
Shown as thread |
openldap.threads.max_pending
(gauge) | Maximum number of pending threads
Shown as thread |
openldap.uptime
(gauge) | Uptime of the server
Shown as second |
openldap.waiter.read
(gauge) | Number of current read waiters
Shown as worker |
openldap.waiter.write
(gauge) | Number of current writer waiters
Shown as worker |
Events
The openldap check does not include any events.
Service Checks
openldap.can_connect
Returns CRITICAL if the integration cannot bind to the monitored OpenLDAP server, OK otherwise.
Statuses: ok, critical
Troubleshooting
Need help? Contact Datadog support.
