Search Exchange
Search All Sites
Nagios Live Webinars
Let our experts show you how Nagios can help your organization.Login
Directory Tree
Check eDirectory LDAP Statistics
2009-12-11
101671
File | Description |
---|---|
check_edir_ldap_stats.sh | version 1.1 |
_check_edir_ldap_stats(1).sh | Version 1.2 |
Meet The New Nagios Core Services Platform
Built on over 25 years of monitoring experience, the Nagios Core Services Platform provides insightful monitoring dashboards, time-saving monitoring wizards, and unmatched ease of use. Use it for free indefinitely.
Monitoring Made Magically Better
- Nagios Core on Overdrive
- Powerful Monitoring Dashboards
- Time-Saving Configuration Wizards
- Open Source Powered Monitoring On Steroids
- And So Much More!
**Description:**
This check program queries the ldap server for it's ldap statistics and compares those values against them from the last run. It uses timestamps to calculate the number of searches / erros per second and if the number of searches or errors exceeds the warning or critical limit a matching output is written and the exitcode is set.
This program was tested with Novell eDirectory>= 8.7.3
When the ldap server is reloaded the counters I use are set back to zero I check that and then just create a new history file for the next run.
**Usage:** ./check_edir_ldap_stats.sh -options-
Options:
|| -H host || host name to check || default: localhost ||
|| -P port || port number, 389 for ldap, 636 for ldaps or any other port || default: 636 ||
|| -T ldap_type || ldap protocol, ldap or ldaps || default: ldaps ||
|| -w warn || number of ldap searches per second since last check to produce a warning state || default: 50 ||
|| -c crit || number of ldap searches per second since last check to produce a critical state || default: 100 ||
|| -u user || ldap bind user, if empty anonymous bind is tried || default: empty, anonymous bind ||
|| -p passw || password of the ldap bind user || default: empty ||
**Requirements:**
The openldap2-client package must be installed and the ldapsearch
command accessible through the search path of the user.
**Sample:**
Command: ./check_edir_ldap_stats.sh -H srv01 -P 636 -T ldaps -w 50 -c 100
First run produces the following output:
//**Script started the first time, writing just the history file /tmp/ldap_history.tmp**//
and this are the contents of the /tmp/ldap_history.tmp:
TIME: 1192464864
wholeSubtreeSearchOps: 1264376
oneLevelSearchOps: 575343
searchOps: 7017481
errors: 1141
securityErrors: 1175
The second run now compares those values against the current values and if any one of this values exceeds the warning or critical value, it is reported.
//**LDAPSTATS CRITICAL: wholeSubtreeSearchOps: 160 oneLevelSearchOps: 130 searchOps: 531 errors: 0 securityErrors: 0 - warn: 100 crit: 50**//
The output of the check program then just shows the difference between the first and the second run. So there were 160 subtree searches per second, 130 one level searches per second, ... during the last run.
**Changelog:**
version 1.0 - initial release
version 1.1 - changed the name of the logfiles to contain the ldap hostname so more then one ldap server can be monitored. Thanks to AIX5L fort this hint !
This check program queries the ldap server for it's ldap statistics and compares those values against them from the last run. It uses timestamps to calculate the number of searches / erros per second and if the number of searches or errors exceeds the warning or critical limit a matching output is written and the exitcode is set.
This program was tested with Novell eDirectory>= 8.7.3
When the ldap server is reloaded the counters I use are set back to zero I check that and then just create a new history file for the next run.
**Usage:** ./check_edir_ldap_stats.sh -options-
Options:
|| -H host || host name to check || default: localhost ||
|| -P port || port number, 389 for ldap, 636 for ldaps or any other port || default: 636 ||
|| -T ldap_type || ldap protocol, ldap or ldaps || default: ldaps ||
|| -w warn || number of ldap searches per second since last check to produce a warning state || default: 50 ||
|| -c crit || number of ldap searches per second since last check to produce a critical state || default: 100 ||
|| -u user || ldap bind user, if empty anonymous bind is tried || default: empty, anonymous bind ||
|| -p passw || password of the ldap bind user || default: empty ||
**Requirements:**
The openldap2-client package must be installed and the ldapsearch
command accessible through the search path of the user.
**Sample:**
Command: ./check_edir_ldap_stats.sh -H srv01 -P 636 -T ldaps -w 50 -c 100
First run produces the following output:
//**Script started the first time, writing just the history file /tmp/ldap_history.tmp**//
and this are the contents of the /tmp/ldap_history.tmp:
TIME: 1192464864
wholeSubtreeSearchOps: 1264376
oneLevelSearchOps: 575343
searchOps: 7017481
errors: 1141
securityErrors: 1175
The second run now compares those values against the current values and if any one of this values exceeds the warning or critical value, it is reported.
//**LDAPSTATS CRITICAL: wholeSubtreeSearchOps: 160 oneLevelSearchOps: 130 searchOps: 531 errors: 0 securityErrors: 0 - warn: 100 crit: 50**//
The output of the check program then just shows the difference between the first and the second run. So there were 160 subtree searches per second, 130 one level searches per second, ... during the last run.
**Changelog:**
version 1.0 - initial release
version 1.1 - changed the name of the logfiles to contain the ldap hostname so more then one ldap server can be monitored. Thanks to AIX5L fort this hint !
Reviews (1)
byJMM_91548, November 7, 2012
There is an error in the sript which isn't able to use an authenticated connection.
If USER (-u) and PASS (-p) are provided, they aren't used in the ldapsearch generated command and the connection is still anonymous.
Suggestion
the LDAP query should be modified as follow:
# do the ldap query
if [ "${USER}" = "" ];
then
# maybe you need the -Z here if you have the simple authentication deactivated
ldapsearch -H ${TYPE}://${HOST}:${PORT} -x -b "" -s base ${LDAPATTR} >${TMPFILE} 2>${ERRFILE}
EXITCODE=$?
else
# maybe you need the -Z here if you have the simple authentication deactivated
ldapsearch -H ${TYPE}://${HOST}:${PORT} -x -b "" -s base ${LDAPATTR} -D ${USER} -w ${PASS} >${TMPFILE} 2>${ERRFILE}
EXITCODE=$?
fi
Best regards
Jean-Marc
If USER (-u) and PASS (-p) are provided, they aren't used in the ldapsearch generated command and the connection is still anonymous.
Suggestion
the LDAP query should be modified as follow:
# do the ldap query
if [ "${USER}" = "" ];
then
# maybe you need the -Z here if you have the simple authentication deactivated
ldapsearch -H ${TYPE}://${HOST}:${PORT} -x -b "" -s base ${LDAPATTR} >${TMPFILE} 2>${ERRFILE}
EXITCODE=$?
else
# maybe you need the -Z here if you have the simple authentication deactivated
ldapsearch -H ${TYPE}://${HOST}:${PORT} -x -b "" -s base ${LDAPATTR} -D ${USER} -w ${PASS} >${TMPFILE} 2>${ERRFILE}
EXITCODE=$?
fi
Best regards
Jean-Marc