Symas OpenLDAP Knowledge Base

Monitoring OpenLDAP

OpenLDAP maintains a cn=monitordatabase with statistics about the operation of the server. Each intance maintains its own cn=monitordatabase. These cn=monitordatabases are easy to query using the LDAP protocol.

The Telegraph and Graphana tools are able to query the cn=monitor data and organize them for presentation. They can also send alerts when system or OpenLDAP conditions warrant immediate attention.


Nagios is an olser Open Source Software package than Telegraph/Graphana. Many installations use Nagios and it works well for what it can do. However, it is limited compared to the newer software.

Monitoring a service is one of the more important parts of keeping it running reliably; Nagios is one of the leading opensource (with commercial support) options for extensible monitoring of networks, hosts, and services. OpenLDAP has a variety of monitorable features that can help with proactive diagnosis of trouble.

There are several OpenLDAP monitoring scripts for Nagios out in-the-wild, but last time we checked they did not cover important cases like multi-master replication. Symas has plans to develop example monitoring tools for Nagios to be bundled with our product.


The Nagios Manual is online.

Features that should be monitored as a Nagios service

  • Server listening - RootDSE query
  • Database available - Suffix query/queries of content DBs
  • Replication current - Analysis of contextCSN state between servers
  • Monitor health - Connection count, etc.

Features that should be implemented as an NRPE plugin

  • BDB health checks
  • MDB health checks
  • Log watching for e.g.
    • Authentication failure patterns (see fail2ban)
    • Unindexed and slow searches
    • Problems with back-ldap proxy targets
    • Hardware failure events noticed by slapd

Features covered by existing plugins

  • Disk space
  • Memory usage (might be better implemented by us, judging by past tickets)
  • Similar OS-level details