Hi FreeIPA-Users,
I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful metrics out of them.
Could anyone recommend a good way to achieve this (preferably not putting a password a text file), afraid I've had a good search, but struggling to find a good way to do this.
Current version of IPA: 4.9.10
Many Thanks, Tania
On 21/11/2022 17:10, Tania Hagan via FreeIPA-users wrote:
I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful metrics out of them.
Could anyone recommend a good way to achieve this (preferably not putting a password a text file), afraid I've had a good search, but struggling to find a good way to do this.
Is what you're trying to test covered by one of the tests within ipa-healthcheck? If so then process its output into a file that you ingest via the textfile collector of the node exporter.
If not then if you've only got a few 'smoke test' type queries & you simply, want to test whether they work, one way is to create a script using e.g., ldapsearch and use SASL EXTERNAL authentication; run this on a schedule and again have it produce files ingested via the textfile collector.
# ldapwhoami -Y EXTERNAL -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=Directory Manager
EXTERNAL authentication, in conjunction with ldapi authenticates the client based on the uid/gid of the client process, so you don't need to deal with any users/passwords.
Regards,
Sam Morris via FreeIPA-users wrote:
On 21/11/2022 17:10, Tania Hagan via FreeIPA-users wrote:
I have a prometheus server and I am trying to setup an alert to test if an ldap search succeeds. Searching there seems to be a few exporters (389ds exporter, openldap exporter ) but all rather old and I'm struggling to get any useful metrics out of them.
Could anyone recommend a good way to achieve this (preferably not putting a password a text file), afraid I've had a good search, but struggling to find a good way to do this.
Is what you're trying to test covered by one of the tests within ipa-healthcheck? If so then process its output into a file that you ingest via the textfile collector of the node exporter.
If not then if you've only got a few 'smoke test' type queries & you simply, want to test whether they work, one way is to create a script using e.g., ldapsearch and use SASL EXTERNAL authentication; run this on a schedule and again have it produce files ingested via the textfile collector.
# ldapwhoami -Y EXTERNAL -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=Directory Manager
EXTERNAL authentication, in conjunction with ldapi authenticates the client based on the uid/gid of the client process, so you don't need to deal with any users/passwords.
ipa-healthcheck has a Prometheus option but it only does a few things. It ensures the services are up but it doesn't do a direct LDAP query to be sure the server is answering.
But I agree with your proposal. Using the ldapi socket on the IPA server as root will bind password-less as Directory Manager so any simple query will work.
An alternative would be search for the available namingContexts which can be anonymous:
ldapsearch -LLL -x -b "" -s base -H ldap://yourserver
rob
Hi,
Many thanks for the response, I have set up the ipa-healthcheck but it didn't have the LDAP query check (the reason being we noticed a few months ago that ldap query failed whilst the services appeared to stay up, so keen to monitor so we can notice these problems before our users do)
I looked into these two exporters:
https://github.com/terrycain/389ds_exporter https://github.com/ozgurcd/389DS-exporter
The original reason I couldn't get them to work is because by default they wanted to connect to ldap with 389 instead of 636. I was able to get both to work with a password with some tweaks, but found the go-ldap doesn't currently have GSSAPI support.
There's an open ticket with go-ldap https://github.com/go-ldap/ldap/pull/402 that hopes to add GSSAPI support, so I'll wait for that work to complete before trying again.
Many Thanks, Tania
Tania Hagan via FreeIPA-users wrote:
Hi,
Many thanks for the response, I have set up the ipa-healthcheck but it didn't have the LDAP query check (the reason being we noticed a few months ago that ldap query failed whilst the services appeared to stay up, so keen to monitor so we can notice these problems before our users do)
I looked into these two exporters:
https://github.com/terrycain/389ds_exporter https://github.com/ozgurcd/389DS-exporter
The original reason I couldn't get them to work is because by default they wanted to connect to ldap with 389 instead of 636. I was able to get both to work with a password with some tweaks, but found the go-ldap doesn't currently have GSSAPI support.
What's the problem using port 389? The second exporter does an anonymous bind to cn=monitor. No credentials are passed so there is no need to encrypt the connection.
Do you disable anonymous logins? Even so the rootdse should be available so you could try switching what they are searching for.
There's an open ticket with go-ldap https://github.com/go-ldap/ldap/pull/402 that hopes to add GSSAPI support, so I'll wait for that work to complete before trying again.
rob
freeipa-users@lists.fedorahosted.org