LDAP Monitoring in Nagios

[hoegh]

Hi team,

We want to add monitoring of LDAP ports & Drivers in Nagios.
We tried check_ldap & check_dxml_drvstate plugins & encountered below errors:

With check_ldap its not able to find/search objectclasses:

Code: Select all

$ check_ldap -H 10.202.24.48 -b cn=idm,cn=monitor -a cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor
Could not search/find objectclasses in cn=idm,cn=monitor

With check_dxml_drvstate, its not detecting the Driver state. Its just showing : Driver $driver_name_if_any$ is STARTING...

Code: Select all

$ check_dxml_drvstate -s 10.202.24.48 -d cn=ActiveDirectory,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor
Driver ActiveDirectory.drivers.driverSet_Stats.IDM.Monitor is STARTING...

We are using check_dxml_drvstate 2.1.

Please help us to configure the LDAP ports & Drivers in Nagios monitoring.

Thansk & Regards
Hoegh

[cdienger]

These are two separate plugins and should have their own threads if needed.

The check_ldap plugin's "-a" only accepts one attribute to filter for. I assume you're looking for the existence of the cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor object ? Try:

check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -v

and per the author of the check_dxml_drvstate plugin, the plugin is a wrapper for the "dxcmd -getstate" command. What are the results when you run this directly on the ldap server?

[hoegh]

These are two separate plugins and should have their own threads if needed.

The check_ldap plugin's "-a" only accepts one attribute to filter for. I assume you're looking for the existence of the cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor object ? Try:

check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -v

and per the author of the check_dxml_drvstate plugin, the plugin is a wrapper for the "dxcmd -getstate" command. What are the results when you run this directly on the ldap server?

Hi cdienger,

tried above command but it not worked.

Code: Select all

check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -v
Could not search/find objectclasses in cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor

and we will update you the result of "dxcmd -getstate" command on LDAP server soon.

Please suggest if any other plugin we can use.

Thanks & Regards
Hoegh

[cdienger]

Try the following:

check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -a cn=AzureAD -v

Also, if you need more assistance for the dxcmd plugin, please open a new thread with the output of the dxcmd -getstate command and feel free to reference this thread.

[hoegh]

Hi cdienger,

tried above command but it didn't worked.

CODE: SELECT ALL
check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -a cn=AzureAD -v
Could not search/find objectclasses in cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor

Still getting the same error
Please suggest what can be done further.

Thanks & Regards
Hoegh

[cdienger]

I'd like to see how the ldap server is responding and we can do that with packet capture:

yum -y install tcpdump
tcpdump -s 0 -i any port 389 -w output.pcap

Let this run while you run the ./check_ldap command and then use CTRL+C to stop it. The output.pcap file will contain sensitive info so PM it to me or attach it to a new ticket at https://support.nagios.com/tickets/.

[hoegh]

I'd like to see how the ldap server is responding and we can do that with packet capture:

yum -y install tcpdump
tcpdump -s 0 -i any port 389 -w output.pcap

Let this run while you run the ./check_ldap command and then use CTRL+C to stop it. The output.pcap file will contain sensitive info so PM it to me or attach it to a new ticket at https://support.nagios.com/tickets/.

Hi cdienger,

I've sent you output file. Please find in PM inbox.

Thanks & Regards
Hoegh.

[cdienger]

The ldap server is responding with a "insufficientAccessRights" message. Either the ldap server needs to be configured to allow these requests or you can try binding to the directory using credentials of a user with the rights. For example:

./check_ldap -H 10.202.24.48 -b "cn=AzureAD,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" -W 0 -a cn=AzureAD -v -D cn=admin,cn=users,cn=IDM,cn=Monitor -P adminspassword

[hoegh]

Hi Cdienger,

I tried below command with a user nagioschecker which can only read the attributes of the driverset and the drivers underneath it. Below command is suggested by the person who is handling LDAP drivers.

Code: Select all

check_dxml_drvstate --server oslsec016 --username "nagioschecker" --password "***********" --driver "cn=Active Directory,cn=drivers,cn=driverSet_Stats,cn=IDM,cn=Monitor" --tree "LHC" 
Driver Active Directory.drivers.driverSet_Stats.IDM.Monitor is STARTING...

Also I've sent you the output.pcap file (in PM) which i generated during execution of above command.
Please check & help us to monitor LDAP drivers in Nagios.

Thanks & Regards
VipiN
Hoegh

[cdienger]

If the capture was taken when the check_dxml_drvstate plugin was run, I would have to question if it is actually doing checks properly. The capture shows the client establishes a tcp connection and then immediately terminates it - no ldap communication is captured.