Monitoring OpenLDAP

OpenLDAP maintains a cn=monitordatabase with statistics about the operation of the server. Each intance maintains its own cn=monitordatabase. These cn=monitordatabases are easy to query using the LDAP protocol.

The Telegraph and Graphana tools are able to query the cn=monitor data and organize them for presentation. They can also send alerts when system or OpenLDAP conditions warrant immediate attention.

Nagios

Nagios is an olser Open Source Software package than Telegraph/Graphana. Many installations use Nagios and it works well for what it can do. However, it is limited compared to the newer software.

Monitoring a service is one of the more important parts of keeping it running reliably; Nagios is one of the leading opensource (with commercial support) options for extensible monitoring of networks, hosts, and services. OpenLDAP has a variety of monitorable features that can help with proactive diagnosis of trouble.

There are several OpenLDAP monitoring scripts for Nagios out in-the-wild, but last time we checked they did not cover important cases like multi-master replication. Symas has plans to develop example monitoring tools for Nagios to be bundled with our product.

Documentation

The Nagios Manual is online.

Features that should be monitored as a Nagios service

• Server listening - RootDSE query
• Database available - Suffix query/queries of content DBs
• Replication current - Analysis of contextCSN state between servers
• Monitor health - Connection count, etc.

Features that should be implemented as an NRPE plugin

• BDB health checks
• MDB health checks
• Log watching for e.g.
  • Authentication failure patterns (see fail2ban)
  • Unindexed and slow searches
  • Problems with back-ldap proxy targets
  • Hardware failure events noticed by slapd

Features covered by existing plugins

• Disk space
• Memory usage (might be better implemented by us, judging by past tickets)
• Similar OS-level details