WatchMouse Laboratories

Not many people run public facing LDAP (Lightweight Directory Access Protocol) servers, but if you do, we can help you keeping tabs on the availability and performance of your LDAP services, as seen by our monitoring stations worldwide.

In this post I’ll explain how to set up an LDAP monitor in your account. Beware, this is not for the faint of heart! If you never encountered a LDAP server, or do not know the access parameters of your organisations’ LDAP service, this post it not for you… Okay, here we go!

Setting up an LDAP monitor

First, check that your LDAP server is indeed public facing, i.e. that it can be reached over the Internet. It may be secured with user name and password, and only accessible over SSL, but is should be reachable from our monitoring stations, or at least the ones you select for the monitoring of your server.

Then go to your monitoring settings, add a new monitor, and select ldap as its type. Then click on expert mode and fill out the following fields:

• Host: The host name of the server
• Port: The TCP port where the LDAP service is listening, typically 389, or 636 with SSL.
• Path: The key to the information you want to retrieve. See below.
• Encryption: SSL or none.
• User name: If your LDAP server is only available to registered users, specify the account here. Note that this will probably be a LDAP path too, for example: cn=stan,ou=mt,dc=watchmouse,dc=com
• Password: the password associated with the user name.
• Match string: optionally a string (or regular expression, when enclosed in /-signs) to use to verify the output of the LDAP query.

Optionally you may want to change timing settings, IPv6 preference, interval, certificate checks, etc.

Now the path is a bit complex, as it is composed of four parts, separated by question marks.

/base_dn?attributes?scope?filter

Here we follow the LDAP URL Format (RFC2255):

1. base_dn: Distinguished name (DN) of an entry in the directory. This DN identifies the entry that is the starting point of the search. If no base DN is specified, the search starts at the root of the directory tree.
2. attributes: The attributes to be returned. To specify more than one attribute, use commas to separate the attributes (for example, ”cn,mail,telephoneNumber”). If no attributes are specified in the URL, all attributes are returned.
3. scope: The scope of the search, which can be base, one, or sub. If no scope is specified, the server performs a base search.
   • base retrieves information about the distinguished name (base_dn) specified in the URL only.
   • one retrieves information about entries one level below the distinguished name (base_dn) specified in the URL. The base entry is not included in this scope.
   • sub retrieves information about entries at all levels below the distinguished name (base_dn) specified in the URL. The base entry is included in this scope.
4. filter: Search filter to apply to entries within the specified scope of the search.

An LDAP example

Host ldap.itd.umich.edu and path dc=umich,dc=edu?uid,cn?sub?uid=mcs

This path indicated that the search starts at dc=umich,dc=edu, that only the UID and CN attributes are retrieved, all levels below the start node are searched (sub), and only the nodes with uid equal to ‘mcs‘ are returned. Finally, we check if the string “Mark Christo Smith” is in the results.

Are you still with us? Good! Now try to set up a monitor for your own LDAP server. And while you set it all up, why not add this new monitor you created to your Public Status Page and share the status of your server with your visitors? Transparency is the new trend!

Hope you enjoyed this post, and if you have any problems setting up a monitor for your LDAP service, just open a ticket at the helpdesk, and we’ll follow up immediately.

- Stan

Tags: LDAP, Monitoring

Categories: Hidden feature, LDAP
You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.