Ldap plugin

plugin to view metrics of your ldap server

Introduction

Ver. 4-08-2021

With this plugin we will be able to see the metrics of your ldap server.

Type: Server or agent plug-in

Compatibility matrix

Systems where it has been tested

CentOS 7, Fedora

Systems where it should work

Any linux system 

Prerequisites

Required:

These dependencies are not required for the binary version of the plugin, only for the python version which is usually only for testing.

Configuration

In the binary version of the plugin all this process of installation of dependencies is not necessary since they are included in the plugin.

In order to run the plugin, we must have python3 installed, this can be done with the following command :

CentOS7

yum install python3

We must install the python-ldap module in its python 3 version, this is done with the following command:

yum install python3-ldap

or with pip :

pip3 install python3-ldap

In turn, to install the previous module, we will need the following dependencies:

yum groupinstall "Development tools"
yum install openldap-devel python-devel

Fedora

sudo dnf install python3

In addition, we must have the python-ldap module installed, this is installed with :

pip install python-ldap

Fedora will need the following dependencies (from ldap) for this module to be installed:

sudo dnf install "@C Development Tools and Libraries" openldap-devel \
    python2-devel python3-devel python3-tox \
    lcov clang-analyzer valgrind

For other systems you can see the necessary python-ldap dependencies in :

https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html

Enable monitoring in ldap.

It is a prerequisite that the OpenLDAP monitoring module is enabled and configured.

Check if your monitoring module is enabled in your OpenLDAP installation:

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=module{0},cn=config"

IfolcModuleLoad: {1}back_monitor is included in the response, the monitoring module is enabled. You can skip to step 3.

To enable the monitoring module, create a module_monitoring.ldif file

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}back_monitor

and execute the command:

ldapmodify -Y EXTERNAL -H ldapi:/// -f module_monitoring.ldif

Create an encrypted password for the monitoring user:

slapdpasswd -s <MONITOR_USER_PASSWORD>

If this does not work, try the following:

sudo -i slappasswd

Create a cn_monitor.ldif file

dn: <NEW_MONITORING_USER_DISTINGUISHED_NAME>
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: <COMMON_NAME_OF_THE_NEW_MONITORING_USER>
description: LDAP monitor
userPassword: <ENCRYPTED_PASSWORD>

image.png

and run the following command to add the supervisory user:

ldapadd -x -D <ADMIN_DISTINGUISHED_NAME> -w <ADMIN_PASSWORD> -f cn_monitor.ldif

Create a database_monitor.ldif file

dn: olcDatabase={2}Monitor,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMonitorConfig
olcDatabase: {2}Monitor
olcAccess: {0}to dn.subtree="cn=Monitor" by dn.base="<NEW_MONITORING_USER_DISTINGUISHED_NAME>" read by * none

image.png

and run the following command to configure the monitoring database:

ldapadd -Y EXTERNAL -H ldapi:/// -f database_monitor.ldif

View of all commands used

image.png

To test the monitoring module, run the following command:

ldapsearch -x -D <NEW_MONITORING_USER_DISTINGUISHED_NAME> -w <MONITOR_USER_PASSWORD> -b cn=Uptime,cn=Time,cn=Monitor -s base '(objectClass=*)' '*' '+'

image.png

General plugin parameters

Binary execution

./pandora_ldap -s <server> -b <binding> -p <password> -a <agent> [--as_agent_plugin] [ -g <group> ] [ --data_dir <data_dir > ]

Running python version (test only)

python3 pandora_ldap.py -s <server> -b <binding> -p <password> -a <agent> [--as_agent_plugin] [ -g <group> ] [ --data_dir <data_dir > ]

If the execution is correct we will see a 1, when executing the plugin :

image-1628163254868.png

If we want to run it as an agent plugin we will do it using the optional parameter "as_agent_plugin" with a "1" which will return an xml with the data of our server:

image-1628163294700.png

Plug-in specific parameters

The plug-in has the following parameters:

Parameter

Description

-s server, --server server

This is mandatory. You have to enter your server with the port, e.g. ldap://192.168.1.178:389

-h, --help

Show a small help message (optional, only use to view help)

-b binding, --binding binding

This is mandatory. Your ldap data to connect, e.g. cn=ldapadm,dc=sanchez,dc=com

-p password, --password password

Your ldap password is required

-a agent, --agent agent

The name of the agent to be created with all modules is mandatory.

--as_agent_plugin

It's optional, if you want the plugin to be an agent plugin and put the modules in the pandora agent, execute this with a 1

-g GROUP, --group GROUP

Pandora FMS Target Group

--data_dir DATA_DIR

Pandora FMS data directory. By default it is /var/spool/pandora/data_in/

Help example:

image-1628071303165.png

Manual execution

We can check the plugin from the terminal to see if it works, to check it, we execute the plugin:

Example :

Binary version of the plugin

/usr/share/pandora_server/util/plugin/pandora_ldap -s ldap://localhost.localdomain:389 -b cn=ldapadm,dc=sanchez,dc=com -p redhat -a ldapserver --as_agent_plugin 1

Python version of the plugin (for testing only)

image-1628163608269.png

with as_agent_plugin 1:

image-1628163632481.png

Ejecution help example:

image-1628163668871.png

Configuration in pandora

Console installation

To register the plugin, from the console, go to the "register plugin" section.

image.png

Click on select file.

plugin registration.png

The .pspz2 file to be uploaded will be selected.

register2_ldap.png

A message will appear informing that you have successfully registered.

image.png

Once the plugin is registered, we will see it in the plugins section.

ver plugin.png

The plugin menu can be accessed by clicking on the plugin title

image.png

In parameters we will see the macro used by the plugin, this is not necessary to touch it

image.png

In the Default value field, we must enter the path to our .conf file.

image.png

Manual installation

The best way to manage server plugins in Pandora is from "/usr/share/pandora_server/util/plugin" so we will send it by pscp to that path:

image-1628163722703.png

Then we will move to the folder where we have put it ("/usr/share/pandora_server/util/plugin" is the recommended one").

Remember: You have to install the dependencies that the python ldap module needs in your system, it is explained in the configuration section.

We move from home with :

cd /usr/share/pandora_server/util/plugin/

We run the plugin to see that it works:

python3 pandora_ldap.py -s <server> -b <binding> -p <password> -a <agent> [--as_agent_plugin] [ -g <group> ] [ --data_dir <data_dir > ]

image-1628163800459.png

With as_agent_plugin 1 we will be able to see an XML with the data that will be shown in the console:

image-1628163832028.png

If we execute it in the first way, without "as_agent_plugin 1", we will have created an agent with the name we have given it in the -a parameter with all the modules.

Anyway, if you prefer to install it manually from the console, the process would be as follows:

As a server plugin

We will go to servers > plugins:

ver plugin.png

click in "add":

image.png

We put in the name and description of your choice:

image.png

We enter as command the path to the plugin, and as parameters the ones we have entered by executing the plugin, the "_field_" fields are macros defined below.

image.png

We put for each macro the description of your choice and as value the data of your ldap server.

image.png

then click on the “create” button.

As agent plugin

We should enable the remote configuration, to enable it we have to open the pandora_agent.conf file:

vim /etc/pandora/pandora_agent.conf

Inside we look for the remote_config line, to enable it we set it to 1.

image-1628164126735.png

And after that we restart the agent :

/etc/init.d/pandora_agent_daemon restart

The remote configuration will have been activated, go to the agents menu and click on the remote configuration icon, which is as follows:

image.png

Then we go to plugin menu :

image.png

We enter the command, click in add:

image.png

Example:

python3 /usr/share/pandora_server/util/plugin/pandoraversion_ldap.py -s ldap://localhost.localdomain:389 -b cn=ldapadm,dc=sanchez,dc=com -p redhat -a ldapserver --as_agent_plugin 1

A new plugin will have been created:

image-1628164348935.png

Once this is done, we restart the agent:

/etc/init.d/pandora_agent_daemon restart

And if we go to the agent with the remote configuration, the ldap modules will have been created.

Modules generated

An agent will be created with the name we have given it in the execution, which will contain all the agents:

image-1628164454997.png

Modules generated

Name Description
Abandon operations completed Type of operation "abandon" completed
Abandon operations initiated Type of operation "abandon" initiated
active operations all active operations
Add operations completed Type of operation "add" completed
Add operations initiated Type of operation "add" initiated
authentications/sec Number of authentications(binds) per second
Bind operations completed Type of operation "bind" completed
Bind operations initiated Type of operation "bind" initiated
Bytes statics Bytes statics
cn=Operations,cn=Monitor completed All operations completed
cn=Operations,cn=Monitor initiated All operations initiated
Compare operations completed Type of operation "compare" completed
Compare operations initiated Type of operation "compare" initiated
Current connections Number of current connections
Delete operations completed Type of operation "completed" completed
Delete operations initiated Type of operation "delete" initiated
Entries statics Entries statics, sub tree statics
Extended operations completed Type of operation "extended" completed
Extended operations initiated Type of operation "extended" initiated
Max Descriptor connections Max Descriptor connections  
Modify operations completed Type of operation "modify" completed
Modify operations initiated Type of operation "modify" initiated
Modrdn completed Modrdn completed
Modrdn initiated Modrdn initiated
operations/sec number total operations per second
PDU statics PDU statics
Read waiters Read waiters
Referrals statics Referrals statics
Response time Response ldap server time
Search operations completed Type of operation "search" completed
Search operations initiated Type of operation "search" initiated
Total connections Number of total connections
Unbind Operations completed Type of operation "unbind" completed
Unbind Operations initiated Type of operation "unbind" initiated
Write waiters Write waiters

1.JPG

2.JPG

3.JPG