Red Hat Directory Server monitoirng with Zabbix
This software is released under the GPL V3 Open Source Licence.
This program and related components are not officially supported or maintained by Red Hat.
Red Hat Directory Server monitoring with ldap.
The following RPMS are required on RHEL
- python-ldap
- python-dateutil
After installing the above required dependencies, copy the .py files to the zabbix user's home directory. If you are using the Zabbix SIA RPMs this will be /var/lib/zabbix. You may need to create this directory, if you do ensure it is owned by Zabbix and the SElinux contexts are set appropriately.
Next copy the config.yaml-default to config.yaml in the Zabbix user's home directory and edit with the appropriate information. Often all you will need to change is the user name to connect with, the password and the url to connect to. For a list of DNs and objects which accessed see the section "LDAP Permissions" below.
NOTE: It is important that the url statement be correct on each host being configured to monitor. Otherwise all hosts may connect to the wrong initial host for data.
For replication monitoring the user listed in the config file will be used to connect to each host. Right now there is no way to specify a different username/password for each host. Replication monitoring requires that the script running on host A be able to connet to each host it has a replication agreement with to check the RUV (Replication Update Vector) on each host to ensure they are in sync.
You can test that everything works by executing get_data.py or get_replication.py from the command line. It is suggested that you execute the scripts as Zabbix if you are able as each python file will be compiled at execution. In addition this ensures better testing of SELinux and other security frameworks which may prevent the scripts from properly running. Upon proper execution you should see a large set of JSON formatted data on screen. Sample output is available below in the "Sample Output" section.
NOTE: This guide assumes you are using includes for the Zabbix agent configuration, for more information see: https://www.zabbix.com/documentation/4.2/manual/appendix/config/zabbix_agentd
Copy the userparameter_rhds.conf file to the /etc/zabbix/zabbix_agent.d/. The file does not need to be owned by Zabbix, but must be readable by it.
NOTE: If you are not using the Zabbix SIA RPMs you will need to update the userparameter_rhds.conf file to match the directory where you installed the scripts.
To test the userparameter you can execute the following on the command line zabbix-agentd -t ldap_stats. You should see a large set of JSON data on screen similar to what you would see if you executed get_data.py
Next import the Template RHDSLDAP.xml file into Zabbix and associate to all LDAP servers.
By default replication will auto-discover once an hour. This can be altered as needed or run manually. After the replication auto-discovery is run all items will not populate with data until the next update of the replication data item (key: ldap_replication). The default update time for the replication data item is 5 minutes.
It is recommended that you create your own user and ACI for monitoring the following DN's are queried for all objectclasses unless otherwise noted:
- cn=features, cn=config
- cn=monitor, cn=config
- cn=snmp, cn=config
- cn=replication, cn=config
- cn=monitor
- cn=database, cn=monitor, cn=ldbm database, cn=plugins, cn=config
- cn=mapping tree, cn=config
- Full SubTree
- objectclasses:
- nsDS5ReplicationAgreement
- nstombstone
Unfortunately at this time SELinux cannot be set to enforcing with out first creating a custom module on RHEL 7. It is recommended to either use Permissive mode for now, or to create your own custom SELinux module.
The following are sample outputs of the LDAP monitoring and Replicaiton monitoring data:
I would like to specifically thank Richard Megginson (github: richm) for his intricate work on Replication montoring. The replication monitoring portions of these scripts were reverse engineered from his efforts.