OpenDJ 6: Monitoring the backend

This topic has 6 replies, 3 voices, and was last updated 3 years, 8 months ago by dom.

  • Author
  • #24649


    Did a cursory search of the topics, but didn’t find anything on this. Our FR env build is done via automation and one our steps is to check if the DJ backend is online. We were on DJ 3.5 where the command was:

    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=ssousers Backend,cn=monitor" -s sub "(objectClass=*)"

    This returned:

    dn: cn=userRoot Backend,cn=monitor
    objectClass: top
    objectClass: ds-monitor-entry
    objectClass: ds-backend-monitor-entry
    ds-backend-id: userRoot
    ds-backend-base-dn: dc=ourDomain,dc=com
    ds-backend-is-private: false
    ds-backend-entry-count: 14
    ds-base-dn-entry-count: 14 dc=ourDomain,dc=com
    ds-backend-writability-mode: enabled
    cn: userRoot Backend

    In updating our automation to deploy DJ 6, I found that the above command no longer worked. And this is despite the fact that this article claims it should work for “All Versions”:

    I believe that article is out of date / incorrect. In DJ 6 (at a minimum, not sure about DJ 5/5.5) the baseDN “cn=userRoot Backend,cn=monitor” no longer exists and hence the above command fails. And in fact the resulting message, according to the above article, would have you believe that your backend is offline:

    SEARCH operation failed
    Result Code: 32 (No Such Entry)
    Additional Information: Entry cn=userRoot Backend,cn=monitor does not exist in the monitor backend
    Matched DN: cn=monitor

    In DJ 6 (at least), the new baseDN for the command should be: “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”

    And the final ldapsearch command to check that the backend is online:

    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "ds-cfg-backend-id=userRoot,cn=backends,cn=monitor" -s sub "(objectClass=*)"

    Please, please do correct me if I’m wrong here and show me how/where. If I am correct, pretty please update your KB article:


    Bad copy/paste for the original DJ 3.5 ldapsearch command at the top of my post…

    It should be:
    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=userRoot Backend,cn=monitor" -s sub "(objectClass=*)"

     Bill Nelson

    Well, since you said “pretty please”….

    DS 6.0 introduced a new “Monitoring User” concept where the user requesting monitoring data needs to have the monitor-read privilege. See the 6.0 Release Notes, Section 1.1 New Features (under the Monitoring section). You can also look at the DS Setup instructions in the DS 6 Installation Guide where it discusses how to create this user during installation.

    This is all fine and dandy until they change it again. Of course, you could just sign up for an account with RockMon (our monitoring, analytics, and advice platform for ForgeRock products) and get a wealth of information not available from cn=monitor.


    Hey, thanks for the reply, but I’m not sure I follow. Read privileges to the monitoring data doesn’t seem to be the problem. I’m not getting any kind of access denied error. The problem is that the baseDN changed from “cn=userRoot Backend,cn=monitor” to “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”.


    Oh…just saw in my email…Got a message from Dom Reed. For some reason he didn’t post here. Here is his message:

    Hi Matthew

    Thank you for your feedback. You are correct, this has changed in DS 6. Appologies this was missed when I updated articles for DS 6 – I have updated it now and republished. I will also update any related articles.

    Many thanks


    And Dom…thanks for getting that KB article updated so fast! Looks perfect! Cheers.

    • This reply was modified 3 years, 8 months ago by matthewponzio.

    Thanks for the confirmation.. and the feedback, always appreciated :)

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?