OpenLDAP

Supported OS Linux Mac OS Windows

Integration version2.0.0

Overview

Use the OpenLDAP integration to get metrics from the cn=Monitor backend of your OpenLDAP servers.

Setup

Installation

The OpenLDAP integration is packaged with the Agent. To start gathering your OpenLDAP metrics:

  1. Have the cn=Monitor backend configured on your OpenLDAP servers.
  2. Install the Agent on your OpenLDAP servers.

Configuration

Prepare OpenLDAP

If the cn=Monitor backend is not configured on your server, follow these steps:

  1. Check if monitoring is enabled on your installation:

     sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
    

    If you see a line with olcModuleLoad: back_monitor.la, monitoring is already enabled, go to step 3.

  2. Enable monitoring on your server:

        cat <<EOF | sudo ldapmodify -Y EXTERNAL -H ldapi:///
        dn: cn=module{0},cn=config
        changetype: modify
        add: olcModuleLoad
        olcModuleLoad: back_monitor.la
        EOF
    
  3. Create an encrypted password with slappasswd.

  4. Add a new user:

        cat <<EOF | ldapadd -H ldapi:/// -D <YOUR BIND DN HERE> -w <YOUR PASSWORD HERE>
        dn: <USER_DISTINGUISHED_NAME>
        objectClass: simpleSecurityObject
        objectClass: organizationalRole
        cn: <COMMON_NAME_OF_THE_NEW_USER>
        description: LDAP monitor
        userPassword:<PASSWORD>
        EOF
    
  5. Configure the monitor database:

        cat <<EOF | sudo ldapadd -Y EXTERNAL -H ldapi:///
        dn: olcDatabase=Monitor,cn=config
        objectClass: olcDatabaseConfig
        objectClass: olcMonitorConfig
        olcDatabase: Monitor
        olcAccess: to dn.subtree='cn=Monitor' by dn.base='<USER_DISTINGUISHED_NAME>' read by * none
        EOF
    

Configure the OpenLDAP integration

Host

To configure this check for an Agent running on a host:

Metric collection
  1. Edit your openldap.d/conf.yaml in the conf.d folder at the root of your Agent’s configuration directory. See the sample openldap.d/conf.yaml for all available configuration options.

    init_config:
    
    instances:
      ## @param url - string - required
      ## Full URL of your ldap server. Use `ldaps` or `ldap` as the scheme to
      ## use TLS or not, or `ldapi` to connect to a UNIX socket.
      #
      - url: ldaps://localhost:636
    
        ## @param username - string - optional
        ## The DN of the user that can read the monitor database.
        #
        username: "<USER_DISTINGUISHED_NAME>"
    
        ## @param password - string - optional
        ## Password associated with `username`
        #
        password: "<PASSWORD>"
    
  2. Restart the Agent.

Log collection

Available for Agent versions >6.0

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in your datadog.yaml file:

    logs_enabled: true
    
  2. Add this configuration block to your openldap.d/conf.yaml file to start collecting your OpenLDAP logs:

    logs:
      - type: file
        path: /var/log/slapd.log
        source: openldap
        service: "<SERVICE_NAME>"
    

    Change the path and service parameter values and configure them for your environment. See the sample openldap.d/conf.yaml for all available configuration options.

  3. Restart the Agent.

Containerized

Metric collection

For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.

ParameterValue
<INTEGRATION_NAME>openldap
<INIT_CONFIG>blank or {}
<INSTANCE_CONFIG>{"url":"ldaps://%%host%%:636","username":"<USER_DISTINGUISHED_NAME>","password":"<PASSWORD>"}
Log collection

Available for Agent versions >6.0

Collecting logs is disabled by default in the Datadog Agent. To enable it, see Kubernetes Log Collection.

ParameterValue
<LOG_CONFIG>{"source": "openldap", "service": "<SERVICE_NAME>"}

Validation

Run the Agent’s status subcommand and look for openldap under the Checks section.

Compatibility

The check is compatible with all major platforms.

Data Collected

Metrics

openldap.bind_time
(gauge)
Time it takes the check to bind to the OpenLDAP server
Shown as second
openldap.connections.current
(gauge)
Current number of active connections
Shown as connection
openldap.connections.max_file_descriptors
(gauge)
Maximum number of file descriptors
Shown as file
openldap.connections.total
(count)
Total number of connections since the server started
Shown as connection
openldap.operations.completed
(count)
Number of operations completed by the server tagged by operation type
Shown as operation
openldap.operations.completed.total
(count)
Total number of operations completed by the server
Shown as operation
openldap.operations.initiated
(count)
Number of operations initiated by the server tagged by operation type
Shown as operation
openldap.operations.initiated.total
(count)
Total number of operations initiated by the server
Shown as operation
openldap.query.duration
(gauge)
Time it takes to execute the query
Shown as second
openldap.query.entries
(gauge)
Number of entries returned by the query
Shown as entry
openldap.statistics.bytes
(count)
Number of bytes sent by the server
Shown as byte
openldap.statistics.entries
(count)
Number of entries sent by the server
Shown as entry
openldap.statistics.pdu
(count)
Number of PDU packets sent by the server
Shown as packet
openldap.statistics.referrals
(count)
Number of referrals sent by the server
Shown as message
openldap.threads
(gauge)
Number of threads started by the server tagged by state
Shown as thread
openldap.threads.max
(gauge)
Maximum number of threads as configured
Shown as thread
openldap.threads.max_pending
(gauge)
Maximum number of pending threads
Shown as thread
openldap.uptime
(gauge)
Uptime of the server
Shown as second
openldap.waiter.read
(gauge)
Number of current read waiters
Shown as worker
openldap.waiter.write
(gauge)
Number of current writer waiters
Shown as worker

Events

The openldap check does not include any events.

Service Checks

openldap.can_connect
Returns CRITICAL if the integration cannot bind to the monitored OpenLDAP server, OK otherwise.
Statuses: ok, critical

Troubleshooting

Need help? Contact Datadog support.