docker-openldap icon indicating copy to clipboard operation
docker-openldap copied to clipboard
verified publisher icon osixia

Add custom database in slapd.conf

Open alxArad opened this issue 6 years ago • 3 comments

I need to get metrics from this openldap, and I need to load monitor backend/database. I need to add these in slapd.conf:

database monitor rootdn "cn=monitoring,cn=Monitor" rootpw YOUR_MONITORING_ROOT_PASSWORD

As far as I know, slapd.conf is not used and in this case, how can I achieve this? I need to add custom ldif?

P.S: I'm using this for getting metrics: https://github.com/tomcz/openldap_exporter

alxArad avatar Nov 22 '19 16:11 alxArad

@alxArad from the Prometheus exporter page you are referencing, you can also find some interesting links like http://www.openldap.org/doc/admin24/backends.html#Monitor which gives you the ldif entries to be used

Further more this other link might also be useful to add the monitor module

However, section 20.1 of the OpenLDAP admin guide would have been of much more use

HTH though

obourdon avatar Nov 23 '19 11:11 obourdon

Thank you. I finally made it working and I post here for others in case someone will have to do something similar.

I had to create custom ldifs for loading monitor backend, adding monitor user (user used for binding when ldapsearch for monitoring purpose) and loading monitor database

load monitor backend ldif:

dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}back_monitor

add user (I used an ansible role here for adding users instead of ldif) - name: Add Monitoring User ldap_entry: dn: cn=monitor,dc=myCompany,dc=com objectClass: - simpleSecurityObject - organizationalRole attributes: cn: monitor description: LDAP monitoring userpassword: "somePass" params: "{{ ldap_auth }}"

load monitor database ldif: dn: olcDatabase={2}Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: {2}Monitor olcAccess: {0}to dn.subtree="cn=Monitor" by dn.base="cn=monitor,dc=myCompany,dc=com" read by * none

Put these files in a folder (like /opt/openldap/ldif) and mount it to container:

volumes:
- "/opt/openldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom"

Monitoring is loaded now and can be fetched via ldapsearch. More details on this link: https://blog.kmp.or.at/monitoring-openldap/ ans this https://serverfault.com/questions/866759/openldap-monitor-access-acl-not-working

I think this issue should be closed. Perhaps is a good ideea to write something relevant to the README file with the instructions for enabling monitoring? Or just prepare a new version to make things easier and add some ENV like "ENABLE_MONITORING=true/false"?

alxArad avatar Nov 27 '19 13:11 alxArad

2023-9-16 Thanks for sharing. I made out a more simple and universal version base on @alxArad solution.

// get into the container
docker exec -it openldap bash

// load monitor module
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: back_monitor
EOF

// init monitor database and access permission
ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase=Monitor,cn=config
objectClass: olcMonitorConfig
olcDatabase: Monitor
olcAccess: to * by * read
EOF

// test if success
ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=monitor"

perfumescent avatar Sep 16 '23 08:09 perfumescent