Use the OpenLDAP integration to get metrics from the cn=Monitor backend of your OpenLDAP servers.
The OpenLDAP integration is packaged with the Agent. To start gathering your OpenLDAP metrics:
- Have the
cn=Monitorbackend configured on your OpenLDAP servers. - Install the Agent on your OpenLDAP servers.
If the cn=Monitor backend is not configured on your server, follow these steps:
-
Check if monitoring is enabled on your installation:
sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=configIf you see a line with
olcModuleLoad: back_monitor.la, monitoring is already enabled, go to step 3. -
Enable monitoring on your server:
cat <<EOF | sudo ldapmodify -Y EXTERNAL -H ldapi:/// dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: back_monitor.la EOF -
Create an encrypted password with
slappasswd. -
Add a new user:
cat <<EOF | ldapadd -H ldapi:/// -D <YOUR BIND DN HERE> -w <YOUR PASSWORD HERE> dn: <USER_DISTINGUISHED_NAME> objectClass: simpleSecurityObject objectClass: organizationalRole cn: <COMMON_NAME_OF_THE_NEW_USER> description: LDAP monitor userPassword:<PASSWORD> EOF -
Configure the monitor database:
cat <<EOF | sudo ldapadd -Y EXTERNAL -H ldapi:/// dn: olcDatabase=Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: Monitor olcAccess: to dn.subtree='cn=Monitor' by dn.base='<USER_DISTINGUISHED_NAME>' read by * none EOF
To configure this check for an Agent running on a host:
-
Edit your
openldap.d/conf.yamlin theconf.dfolder at the root of your Agent's configuration directory. See the sample openldap.d/conf.yaml for all available configuration options.init_config: instances: ## @param url - string - required ## Full URL of your ldap server. Use `ldaps` or `ldap` as the scheme to ## use TLS or not, or `ldapi` to connect to a UNIX socket. # - url: ldaps://localhost:636 ## @param username - string - optional ## The DN of the user that can read the monitor database. # username: "<USER_DISTINGUISHED_NAME>" ## @param password - string - optional ## Password associated with `username` # password: "<PASSWORD>"
Available for Agent versions >6.0
-
Collecting logs is disabled by default in the Datadog Agent. Enable it in your
datadog.yamlfile:logs_enabled: true
-
Add this configuration block to your
openldap.d/conf.yamlfile to start collecting your OpenLDAP logs:logs: - type: file path: /var/log/slapd.log source: openldap service: "<SERVICE_NAME>"
Change the
pathandserviceparameter values and configure them for your environment. See the sample openldap.d/conf.yaml for all available configuration options.
For containerized environments, see the Autodiscovery Integration Templates for guidance on applying the parameters below.
| Parameter | Value |
|---|---|
<INTEGRATION_NAME> |
openldap |
<INIT_CONFIG> |
blank or {} |
<INSTANCE_CONFIG> |
{"url":"ldaps://%%host%%:636","username":"<USER_DISTINGUISHED_NAME>","password":"<PASSWORD>"} |
Available for Agent versions >6.0
Collecting logs is disabled by default in the Datadog Agent. To enable it, see Kubernetes Log Collection.
| Parameter | Value |
|---|---|
<LOG_CONFIG> |
{"source": "openldap", "service": "<SERVICE_NAME>"} |
Run the Agent's status subcommand and look for openldap under the Checks section.
The check is compatible with all major platforms.
See metadata.csv for a list of metrics provided by this integration.
The openldap check does not include any events.
See service_checks.json for a list of service checks provided by this integration.
Need help? Contact Datadog support.