January 31, 2019 at 4:29 pm #24649
Did a cursory search of the topics, but didn’t find anything on this. Our FR env build is done via automation and one our steps is to check if the DJ backend is online. We were on DJ 3.5 where the command was:
ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=ssousers Backend,cn=monitor" -s sub "(objectClass=*)"
dn: cn=userRoot Backend,cn=monitor objectClass: top objectClass: ds-monitor-entry objectClass: ds-backend-monitor-entry ds-backend-id: userRoot ds-backend-base-dn: dc=ourDomain,dc=com ds-backend-is-private: false ds-backend-entry-count: 14 ds-base-dn-entry-count: 14 dc=ourDomain,dc=com ds-backend-writability-mode: enabled cn: userRoot Backend
In updating our automation to deploy DJ 6, I found that the above command no longer worked. And this is despite the fact that this article claims it should work for “All Versions”:
I believe that article is out of date / incorrect. In DJ 6 (at a minimum, not sure about DJ 5/5.5) the baseDN “cn=userRoot Backend,cn=monitor” no longer exists and hence the above command fails. And in fact the resulting message, according to the above article, would have you believe that your backend is offline:
SEARCH operation failed
Result Code: 32 (No Such Entry)
Additional Information: Entry cn=userRoot Backend,cn=monitor does not exist in the monitor backend
Matched DN: cn=monitor
In DJ 6 (at least), the new baseDN for the command should be: “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”
And the final ldapsearch command to check that the backend is online:
ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "ds-cfg-backend-id=userRoot,cn=backends,cn=monitor" -s sub "(objectClass=*)"
Please, please do correct me if I’m wrong here and show me how/where. If I am correct, pretty please update your KB article: https://backstage.forgerock.com/knowledge/kb/article/a91168317January 31, 2019 at 5:28 pm #24650
Bad copy/paste for the original DJ 3.5 ldapsearch command at the top of my post…
It should be:
ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=userRoot Backend,cn=monitor" -s sub "(objectClass=*)"January 31, 2019 at 8:05 pm #24652Bill NelsonParticipant
Well, since you said “pretty please”….
DS 6.0 introduced a new “Monitoring User” concept where the user requesting monitoring data needs to have the monitor-read privilege. See the 6.0 Release Notes, Section 1.1 New Features (under the Monitoring section). You can also look at the DS Setup instructions in the DS 6 Installation Guide where it discusses how to create this user during installation.
This is all fine and dandy until they change it again. Of course, you could just sign up for an account with RockMon (our monitoring, analytics, and advice platform for ForgeRock products) and get a wealth of information not available from cn=monitor.January 31, 2019 at 8:33 pm #24653
Hey, thanks for the reply, but I’m not sure I follow. Read privileges to the monitoring data doesn’t seem to be the problem. I’m not getting any kind of access denied error. The problem is that the baseDN changed from “cn=userRoot Backend,cn=monitor” to “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”.January 31, 2019 at 8:35 pm #24654
Oh…just saw in my email…Got a message from Dom Reed. For some reason he didn’t post here. Here is his message:
Thank you for your feedback. You are correct, this has changed in DS 6. Appologies this was missed when I updated articles for DS 6 – I have updated it now and republished. I will also update any related articles.
DomJanuary 31, 2019 at 9:15 pm #24657
And Dom…thanks for getting that KB article updated so fast! Looks perfect! Cheers.
February 1, 2019 at 11:02 am #24663domParticipant
- This reply was modified 2 months, 2 weeks ago by matthewponzio.
Thanks for the confirmation.. and the feedback, always appreciated :)
You must be logged in to reply to this topic.