---
title: OpenLDAP
description: Collect metrics from your OpenLDAP server using the cn=monitor backend
breadcrumbs: Docs > Integrations > OpenLDAP
---

# OpenLDAP
Supported OS Integration version3.3.0
## Overview{% #overview %}

Use the OpenLDAP integration to get metrics from the `cn=Monitor` backend of your OpenLDAP servers.

**Minimum Agent version:** 6.5.0

## Setup{% #setup %}

### Installation{% #installation %}

The OpenLDAP integration is packaged with the Agent. To start gathering your OpenLDAP metrics:

1. Have the `cn=Monitor` backend configured on your OpenLDAP servers.
1. [Install the Agent](https://app.datadoghq.com/account/settings/agent/latest) on your OpenLDAP servers.

### Configuration{% #configuration %}

#### Prepare OpenLDAP{% #prepare-openldap %}

The user created in these steps is granted read-only access to the monitor backend. As a best practice, Datadog recommends this read-only setup to limit the permissions granted to the Datadog Agent.

If the `cn=Monitor` backend is not configured on your server, follow these steps:

1. Check if monitoring is enabled on your installation:

   ```shell
    sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
   ```

If you see a line with `olcModuleLoad: back_monitor.la`, monitoring is already enabled, go to step 3.

1. Enable monitoring on your server:

   ```text
       cat <<EOF | sudo ldapmodify -Y EXTERNAL -H ldapi:///
       dn: cn=module{0},cn=config
       changetype: modify
       add: olcModuleLoad
       olcModuleLoad: back_monitor.la
       EOF
   ```

1. Create an encrypted password with `slappasswd`.

1. Add a new user:

   ```text
       cat <<EOF | ldapadd -H ldapi:/// -D <YOUR BIND DN HERE> -w <YOUR PASSWORD HERE>
       dn: <USER_DISTINGUISHED_NAME>
       objectClass: simpleSecurityObject
       objectClass: organizationalRole
       cn: <COMMON_NAME_OF_THE_NEW_USER>
       description: LDAP monitor
       userPassword:<PASSWORD>
       EOF
   ```

1. Configure the monitor database:

   ```text
       cat <<EOF | sudo ldapadd -Y EXTERNAL -H ldapi:///
       dn: olcDatabase=Monitor,cn=config
       objectClass: olcDatabaseConfig
       objectClass: olcMonitorConfig
       olcDatabase: Monitor
       olcAccess: to dn.subtree='cn=Monitor' by dn.base='<USER_DISTINGUISHED_NAME>' read by * none
       EOF
   ```

#### Configure the OpenLDAP integration{% #configure-the-openldap-integration %}

{% tab title="Host" %}
#### Host{% #host %}

To configure this check for an Agent running on a host:

###### Metric collection{% #metric-collection %}

1. Edit your `openldap.d/conf.yaml` in the `conf.d` folder at the root of your Agent's configuration directory. See the [sample openldap.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/openldap/datadog_checks/openldap/data/conf.yaml.example) for all available configuration options.

   ```yaml
   init_config:
   
   instances:
     ## @param url - string - required
     ## Full URL of your ldap server. Use `ldaps` or `ldap` as the scheme to
     ## use TLS or not, or `ldapi` to connect to a UNIX socket.
     #
     - url: ldaps://localhost:636
   
       ## @param username - string - optional
       ## The DN of the user that can read the monitor database.
       #
       username: "<USER_DISTINGUISHED_NAME>"
   
       ## @param password - string - optional
       ## Password associated with `username`
       #
       password: "<PASSWORD>"
   ```

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

###### Log collection{% #log-collection %}

*Available for Agent versions >6.0*

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in your `datadog.yaml` file:

   ```yaml
   logs_enabled: true
   ```

1. Add this configuration block to your `openldap.d/conf.yaml` file to start collecting your OpenLDAP logs:

   ```yaml
   logs:
     - type: file
       path: /var/log/slapd.log
       source: openldap
       service: "<SERVICE_NAME>"
   ```

Change the `path` and `service` parameter values and configure them for your environment. See the [sample openldap.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/openldap/datadog_checks/openldap/data/conf.yaml.example) for all available configuration options.

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent).

{% /tab %}

{% tab title="Containerized" %}
#### Containerized{% #containerized %}

###### Metric collection{% #metric-collection %}

For containerized environments, see the [Autodiscovery Integration Templates](https://docs.datadoghq.com/agent/kubernetes/integrations/) for guidance on applying the parameters below.

| Parameter            | Value                                                                                           |
| -------------------- | ----------------------------------------------------------------------------------------------- |
| `<INTEGRATION_NAME>` | `openldap`                                                                                      |
| `<INIT_CONFIG>`      | blank or `{}`                                                                                   |
| `<INSTANCE_CONFIG>`  | `{"url":"ldaps://%%host%%:636","username":"<USER_DISTINGUISHED_NAME>","password":"<PASSWORD>"}` |

###### Log collection{% #log-collection %}

*Available for Agent versions >6.0*

Collecting logs is disabled by default in the Datadog Agent. To enable it, see [Kubernetes Log Collection](https://docs.datadoghq.com/agent/kubernetes/log/).

| Parameter      | Value                                                 |
| -------------- | ----------------------------------------------------- |
| `<LOG_CONFIG>` | `{"source": "openldap", "service": "<SERVICE_NAME>"}` |

{% /tab %}

### Validation{% #validation %}

[Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information) and look for `openldap` under the Checks section.

## Compatibility{% #compatibility %}

The check is compatible with all major platforms.

## Data Collected{% #data-collected %}

### Metrics{% #metrics %}

|  |
|  |
| **openldap.bind\_time**(gauge)                         | Time it takes the check to bind to the OpenLDAP server*Shown as second*                   |
| **openldap.connections.current**(gauge)                | Current number of active connections*Shown as connection*                                 |
| **openldap.connections.max\_file\_descriptors**(gauge) | Maximum number of file descriptors*Shown as file*                                         |
| **openldap.connections.total**(count)                  | Total number of connections since the server started*Shown as connection*                 |
| **openldap.operations.completed**(count)               | Number of operations completed by the server tagged by operation type*Shown as operation* |
| **openldap.operations.completed.total**(count)         | Total number of operations completed by the server*Shown as operation*                    |
| **openldap.operations.initiated**(count)               | Number of operations initiated by the server tagged by operation type*Shown as operation* |
| **openldap.operations.initiated.total**(count)         | Total number of operations initiated by the server*Shown as operation*                    |
| **openldap.query.duration**(gauge)                     | Time it takes to execute the query*Shown as second*                                       |
| **openldap.query.entries**(gauge)                      | Number of entries returned by the query*Shown as entry*                                   |
| **openldap.statistics.bytes**(count)                   | Number of bytes sent by the server*Shown as byte*                                         |
| **openldap.statistics.entries**(count)                 | Number of entries sent by the server*Shown as entry*                                      |
| **openldap.statistics.pdu**(count)                     | Number of PDU packets sent by the server*Shown as packet*                                 |
| **openldap.statistics.referrals**(count)               | Number of referrals sent by the server*Shown as message*                                  |
| **openldap.threads**(gauge)                            | Number of threads started by the server tagged by state*Shown as thread*                  |
| **openldap.threads.max**(gauge)                        | Maximum number of threads as configured*Shown as thread*                                  |
| **openldap.threads.max\_pending**(gauge)               | Maximum number of pending threads*Shown as thread*                                        |
| **openldap.uptime**(gauge)                             | Uptime of the server*Shown as second*                                                     |
| **openldap.waiter.read**(gauge)                        | Number of current read waiters*Shown as worker*                                           |
| **openldap.waiter.write**(gauge)                       | Number of current writer waiters*Shown as worker*                                         |

### Events{% #events %}

The openldap check does not include any events.

### Service Checks{% #service-checks %}

**openldap.can\_connect**

Returns `CRITICAL` if the integration cannot bind to the monitored OpenLDAP server, `OK` otherwise.

*Statuses: ok, critical*

## Troubleshooting{% #troubleshooting %}

Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).