Bug 41213 - add "monitor" backend for statistical information
add "monitor" backend for statistical information
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.3
Other Linux
: P5 enhancement (vote)
: UCS 4.3-3-errata
Assigned To: Julia Bremer
Arvid Requate
https://www.openldap.org/doc/admin24/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-06 15:53 CEST by Ingo Steuwer
Modified: 2019-02-27 13:29 CET (History)
6 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2016-05-06 15:53:56 CEST
OpenLDAP provides a default plugin to get some statistical information that can be usefull for performance monitoring, statistics and debugging.

It can be enabled by adding the following lines in the slapd.conf:

moduleload      back_monitor.so
database monitor

Furthermore there should be additional ACLs for the now available root DN "cn=monitor". See "man slapd-monitor" for details.


This was requested by a customer who wants to use it combined with "collectd".
Comment 1 Florian Best univentionstaff 2017-06-28 14:52:21 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 2 Ingo Steuwer univentionstaff 2018-10-23 16:27:35 CEST
There is a patch against univention-ldap in a customer scope to make this configurable.
Comment 3 Arvid Requate univentionstaff 2018-11-29 18:17:25 CET
Ok the addition for

univention-ldap/conffiles/etc/ldap/slapd.conf.d/40univention-ldap-server_database

looks something like this:


if configRegistry.is_true('ldap/monitor', False):                              
       print "database\tmonitor"                                               
       print ''                                                                
       print 'access to dn.subtree="cn=monitor"'                               
       print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry     
       print '\tby group/univentionGroup/uniqueMember="cn=Domain Admins,cn=groups,%(ldap/base)s" read' % configRegistry
       print '\tby * none stop'                                                
       print ''
Comment 4 Florian Best univentionstaff 2019-02-19 17:52:01 CET
(In reply to Arvid Requate from comment #3)
> if configRegistry.is_true('ldap/monitor', False):                           
> 
>        print "database\tmonitor"                                            
>        print ''                                                             
>        print 'access to dn.subtree="cn=monitor"'                            
>        print '\tby dn.base="cn=admin,%(ldap/base)s" read' % configRegistry  
Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database?

>        print '\tby group/univentionGroup/uniqueMember="cn=Domain
> Admins,cn=groups,%(ldap/base)s" read' % configRegistry
>        print '\tby * none stop'                                             
Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible).
Comment 5 Arvid Requate univentionstaff 2019-02-20 11:18:28 CET
> Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database?

Only if you explicitly specify this with the "rootdn" directive per database.
See also Bug #32015.


> Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible).

May be a good idea, could you discuss the details / implications with Julia? She's put the cn=monitor config into a separate subfile, so you are right, a project could extend the ACLs for this.
Comment 6 Florian Best univentionstaff 2019-02-20 11:57:33 CET
(In reply to Arvid Requate from comment #5)
> > Isn't cn=admin the rootdn and always permitted to do everything? Or is cn=admin only the rootdn for the regular ldap database?
> 
> Only if you explicitly specify this with the "rootdn" directive per database.
> See also Bug #32015.
Okay :-)

> > Shouldn't this be better: "by * +0 break" ? (Not sure, but otherwise it doesn't look very extensible).
> 
> May be a good idea, could you discuss the details / implications with Julia?
> She's put the cn=monitor config into a separate subfile, so you are right, a
> project could extend the ACLs for this.
Okay, we discussed it and came to the conclusion that it would be best to use the "+0 break" style. If no other ACL is defined everyone except cn=admin and Domain Admins doesn't have read/write/etc. permissions.
Comment 7 Julia Bremer univentionstaff 2019-02-20 12:59:25 CET
b05893915d Bug #41213: yaml
fdcf18ee12 Bug #41213: Changed access to cn=monitor
f8264071d0 Bug #41213: YAML
faea5054f9 Bug #41213: cn=monitor

Successful build
Package: univention-ldap
Version: 14.0.2-43A~4.3.0.201902201212
Branch: ucs_4.3-0
Scope: errata4.3-3
User: jbremer

40a14ff80c Bug #41213: Merge branch 'jbremer/bug41213' into 4.4-0
Comment 8 Arvid Requate univentionstaff 2019-02-20 17:12:54 CET
Ok, this works.

I've adjusted the Advisory a bit: d311faf156 | Advsiory wording
Comment 9 Arvid Requate univentionstaff 2019-02-20 17:23:08 CET
Ah, could you please also add a description for the variable to

debian/univention-ldap-server.univention-config-registry-variables ?
Comment 10 Julia Bremer univentionstaff 2019-02-21 13:02:13 CET
fc203e1458 Bug #41213: Merge branch 'jbremer/bug41213' into 4.3-3
aad4d04f2a Bug #41213: yaml
9f0b54ca6d Bug #41213: Custom groupname for domain-admins and variable description


Successful build
Package: univention-ldap
Version: 14.0.2-44A~4.3.0.201902211216
Branch: ucs_4.3-0
Scope: errata4.3-3
Comment 11 Arvid Requate univentionstaff 2019-02-21 15:57:15 CET
Ok, works, I adjusted the wording a bit to match my taste.

264b486492 | Adjust variable description wording for ldap/monitor (4.3-3)
d751e133c1 | Advisory version update
a540b92a33 | Adjust variable description wording for ldap/monitor (4.4-0)

Anyone interested in the details of cn=monitor may check the link in the URL field of this bug.
Comment 12 Arvid Requate univentionstaff 2019-02-27 13:29:04 CET
<http://errata.software-univention.de/ucs/4.3/444.html>