OpenLDAP

Docs > Integrations > OpenLDAP

Supported OS Linux Mac OS Windows

Integration version1.12.0

Overview

Use the OpenLDAP integration to get metrics from the cn=Monitor backend of your OpenLDAP servers.

Setup

Installation

The OpenLDAP integration is packaged with the Agent. To start gathering your OpenLDAP metrics:

Have the cn=Monitor backend configured on your OpenLDAP servers.
Install the Agent on your OpenLDAP servers.

Configuration

Prepare OpenLDAP

If the cn=Monitor backend is not configured on your server, follow these steps:

Check if monitoring is enabled on your installation:
```
 sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
```
If you see a line with olcModuleLoad: back_monitor.la, monitoring is already enabled, go to step 3.

Enable monitoring on your server:

    cat <<EOF | sudo ldapmodify -Y EXTERNAL -H ldapi:///
    dn: cn=module{0},cn=config
    changetype: modify
    add: olcModuleLoad
    olcModuleLoad: back_monitor.la
    EOF

Create an encrypted password with slappasswd.

Add a new user:

    cat <<EOF | ldapadd -H ldapi:/// -D <YOUR BIND DN HERE> -w <YOUR PASSWORD HERE>
    dn: <USER_DISTINGUISHED_NAME>
    objectClass: simpleSecurityObject
    objectClass: organizationalRole
    cn: <COMMON_NAME_OF_THE_NEW_USER>
    description: LDAP monitor
    userPassword:<PASSWORD>
    EOF

Configure the monitor database:

    cat <<EOF | sudo ldapadd -Y EXTERNAL -H ldapi:///
    dn: olcDatabase=Monitor,cn=config
    objectClass: olcDatabaseConfig
    objectClass: olcMonitorConfig
    olcDatabase: Monitor
    olcAccess: to dn.subtree='cn=Monitor' by dn.base='<USER_DISTINGUISHED_NAME>' read by * none
    EOF

Configure the OpenLDAP integration

Host

To configure this check for an Agent running on a host:

Metric collection

Edit your openldap.d/conf.yaml in the conf.d folder at the root of your Agent’s configuration directory. See the sample openldap.d/conf.yaml for all available configuration options.

init_config:

instances:
  ## @param url - string - required
  ## Full URL of your ldap server. Use `ldaps` or `ldap` as the scheme to
  ## use TLS or not, or `ldapi` to connect to a UNIX socket.
  #
  - url: ldaps://localhost:636

    ## @param username - string - optional
    ## The DN of the user that can read the monitor database.
    #
    username: "<USER_DISTINGUISHED_NAME>"

    ## @param password - string - optional
    ## Password associated with `username`
    #
    password: "<PASSWORD>"

Restart the Agent.

Log collection

Available for Agent versions >6.0

Collecting logs is disabled by default in the Datadog Agent. Enable it in your datadog.yaml file:
```
logs_enabled: true
```
Add this configuration block to your openldap.d/conf.yaml file to start collecting your OpenLDAP logs:
```
logs:
  - type: file
    path: /var/log/slapd.log
    source: openldap
    service: "<SERVICE_NAME>"
```
Change the path and service parameter values and configure them for your environment. See the sample openldap.d/conf.yaml for all available configuration options.
Restart the Agent.

Containerized

Metric collection

For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.

Parameter	Value
`<INTEGRATION_NAME>`	`openldap`
`<INIT_CONFIG>`	blank or `{}`
`<INSTANCE_CONFIG>`	`{"url":"ldaps://%%host%%:636","username":"<USER_DISTINGUISHED_NAME>","password":"<PASSWORD>"}`

Log collection

Available for Agent versions >6.0

Collecting logs is disabled by default in the Datadog Agent. To enable it, see Kubernetes Log Collection.

Parameter	Value
`<LOG_CONFIG>`	`{"source": "openldap", "service": "<SERVICE_NAME>"}`

Validation

Run the Agent’s status subcommand and look for openldap under the Checks section.

Compatibility

The check is compatible with all major platforms.

Data Collected

Metrics

openldap.bind_time (gauge)	Time it takes the check to bind to the OpenLDAP server Shown as second
openldap.connections.current (gauge)	Current number of active connections Shown as connection
openldap.connections.max_file_descriptors (gauge)	Maximum number of file descriptors Shown as file
openldap.connections.total (count)	Total number of connections since the server started Shown as connection
openldap.operations.completed (count)	Number of operations completed by the server tagged by operation type Shown as operation
openldap.operations.completed.total (count)	Total number of operations completed by the server Shown as operation
openldap.operations.initiated (count)	Number of operations initiated by the server tagged by operation type Shown as operation
openldap.operations.initiated.total (count)	Total number of operations initiated by the server Shown as operation
openldap.query.duration (gauge)	Time it takes to execute the query Shown as second
openldap.query.entries (gauge)	Number of entries returned by the query Shown as entry
openldap.statistics.bytes (count)	Number of bytes sent by the server Shown as byte
openldap.statistics.entries (count)	Number of entries sent by the server Shown as entry
openldap.statistics.pdu (count)	Number of PDU packets sent by the server Shown as packet
openldap.statistics.referrals (count)	Number of referrals sent by the server Shown as message
openldap.threads (gauge)	Number of threads started by the server tagged by state Shown as thread
openldap.threads.max (gauge)	Maximum number of threads as configured Shown as thread
openldap.threads.max_pending (gauge)	Maximum number of pending threads Shown as thread
openldap.uptime (gauge)	Uptime of the server Shown as second
openldap.waiter.read (gauge)	Number of current read waiters Shown as worker
openldap.waiter.write (gauge)	Number of current writer waiters Shown as worker

Events

The openldap check does not include any events.

Service Checks

openldap.can_connect
Returns CRITICAL if the integration cannot bind to the monitored OpenLDAP server, OK otherwise.
Statuses: ok, critical

Troubleshooting

Need help? Contact Datadog support.