Univention Bugzilla – Bug 41213
add "monitor" backend for statistical information
Last modified: 2019-02-27 13:29:04 CET
OpenLDAP provides a default plugin to get some statistical information that can be usefull for performance monitoring, statistics and debugging. It can be enabled by adding the following lines in the slapd.conf: moduleload back_monitor.so database monitor Furthermore there should be additional ACLs for the now available root DN "cn=monitor". See "man slapd-monitor" for details. This was requested by a customer who wants to use it combined with "collectd".
There is a Customer ID set so I set the flag "Enterprise Customer affected".
There is a patch against univention-ldap in a customer scope to make this configurable.
Ok the addition for univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database looks something like this: if configRegistry.is_true('ldap/monitor', False): print "database\tmonitor" print '' print 'access to dn.subtree="cn=monitor"' print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry print '\tby group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,%(ldap/base)s" read' % configRegistry print '\tby * none stop' print ''
(In reply to Arvid Requate from comment #3) > if configRegistry.is_true('ldap/monitor', False): > > print "database\tmonitor" > print '' > print 'access to dn.subtree="cn=monitor"' > print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > print '\tby group/univentionGroup/uniqueMember="cn=Domain > Admins,cn=groups,%(ldap/base)s" read' % configRegistry > print '\tby * none stop' Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible).
> Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? Only if you explicitly specify this with the "rootdn" directive per database. See also Bug #32015. > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). May be a good idea, could you discuss the details / implications with Julia? She's put the cn=monitor config into a separate subfile, so you are right, a project could extend the ACLs for this.
(In reply to Arvid Requate from comment #5) > > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database? > > Only if you explicitly specify this with the "rootdn" directive per database. > See also Bug #32015. Okay :-) > > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible). > > May be a good idea, could you discuss the details / implications with Julia? > She's put the cn=monitor config into a separate subfile, so you are right, a > project could extend the ACLs for this. Okay, we discussed it and came to the conclusion that it would be best to use the "+0 break" style. If no other ACL is defined everyone except cn=admin and Domain Admins doesn't have read/write/etc. permissions.
b05893915d Bug #41213: yaml fdcf18ee12 Bug #41213: Changed access to cn=monitor f8264071d0 Bug #41213: YAML faea5054f9 Bug #41213: cn=monitor Successful build Package: univention-ldap Version: 14.0.2-43A~4.3.0.201902201212 Branch: ucs_4.3-0 Scope: errata4.3-3 User: jbremer 40a14ff80c Bug #41213: Merge branch 'jbremer/bug41213' into 4.4-0
Ok, this works. I've adjusted the Advisory a bit: d311faf156 | Advsiory wording
Ah, could you please also add a description for the variable to debian/univention-ldap-server.univention-config-registry-variables ?
fc203e1458 Bug #41213: Merge branch 'jbremer/bug41213' into 4.3-3 aad4d04f2a Bug #41213: yaml 9f0b54ca6d Bug #41213: Custom groupname for domain-admins and variable description Successful build Package: univention-ldap Version: 14.0.2-44A~4.3.0.201902211216 Branch: ucs_4.3-0 Scope: errata4.3-3
Ok, works, I adjusted the wording a bit to match my taste. 264b486492 | Adjust variable description wording for ldap/monitor (4.3-3) d751e133c1 | Advisory version update a540b92a33 | Adjust variable description wording for ldap/monitor (4.4-0) Anyone interested in the details of cn=monitor may check the link in the URL field of this bug.
<http://errata.software-univention.de/ucs/4.3/444.html>