OpenDJ 6: Monitoring the backend

This topic contains 6 replies, has 3 voices, and was last updated by  dom 2 weeks, 1 day ago.

  • Author
    Posts
  • #24649
     matthewponzio 
    Participant

    Hi,

    Did a cursory search of the topics, but didn’t find anything on this. Our FR env build is done via automation and one our steps is to check if the DJ backend is online. We were on DJ 3.5 where the command was:

    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=ssousers Backend,cn=monitor" -s sub "(objectClass=*)"

    This returned:

    dn: cn=userRoot Backend,cn=monitor
    objectClass: top
    objectClass: ds-monitor-entry
    objectClass: ds-backend-monitor-entry
    ds-backend-id: userRoot
    ds-backend-base-dn: dc=ourDomain,dc=com
    ds-backend-is-private: false
    ds-backend-entry-count: 14
    ds-base-dn-entry-count: 14 dc=ourDomain,dc=com
    ds-backend-writability-mode: enabled
    cn: userRoot Backend

    In updating our automation to deploy DJ 6, I found that the above command no longer worked. And this is despite the fact that this article claims it should work for “All Versions”:

    https://backstage.forgerock.com/knowledge/kb/article/a91168317

    I believe that article is out of date / incorrect. In DJ 6 (at a minimum, not sure about DJ 5/5.5) the baseDN “cn=userRoot Backend,cn=monitor” no longer exists and hence the above command fails. And in fact the resulting message, according to the above article, would have you believe that your backend is offline:

    SEARCH operation failed
    Result Code: 32 (No Such Entry)
    Additional Information: Entry cn=userRoot Backend,cn=monitor does not exist in the monitor backend
    Matched DN: cn=monitor

    In DJ 6 (at least), the new baseDN for the command should be: “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”

    And the final ldapsearch command to check that the backend is online:

    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "ds-cfg-backend-id=userRoot,cn=backends,cn=monitor" -s sub "(objectClass=*)"

    Please, please do correct me if I’m wrong here and show me how/where. If I am correct, pretty please update your KB article: https://backstage.forgerock.com/knowledge/kb/article/a91168317

    #24650
     matthewponzio 
    Participant

    Bad copy/paste for the original DJ 3.5 ldapsearch command at the top of my post…

    It should be:
    ldapsearch -h <hostname> -p <port> -D "cn=Directory Manager" -w <password> -b "cn=userRoot Backend,cn=monitor" -s sub "(objectClass=*)"

    #24652
     Bill Nelson 
    Participant

    Well, since you said “pretty please”….

    DS 6.0 introduced a new “Monitoring User” concept where the user requesting monitoring data needs to have the monitor-read privilege. See the 6.0 Release Notes, Section 1.1 New Features (under the Monitoring section). You can also look at the DS Setup instructions in the DS 6 Installation Guide where it discusses how to create this user during installation.

    This is all fine and dandy until they change it again. Of course, you could just sign up for an account with RockMon (our monitoring, analytics, and advice platform for ForgeRock products) and get a wealth of information not available from cn=monitor.

    #24653
     matthewponzio 
    Participant

    Hey, thanks for the reply, but I’m not sure I follow. Read privileges to the monitoring data doesn’t seem to be the problem. I’m not getting any kind of access denied error. The problem is that the baseDN changed from “cn=userRoot Backend,cn=monitor” to “ds-cfg-backend-id=userRoot,cn=backends,cn=monitor”.

    #24654
     matthewponzio 
    Participant

    Oh…just saw in my email…Got a message from Dom Reed. For some reason he didn’t post here. Here is his message:

    Hi Matthew

    Thank you for your feedback. You are correct, this has changed in DS 6. Appologies this was missed when I updated articles for DS 6 – I have updated it now and republished. I will also update any related articles.

    Many thanks
    Dom

    #24657
     matthewponzio 
    Participant

    And Dom…thanks for getting that KB article updated so fast! Looks perfect! Cheers.

    • This reply was modified 2 weeks, 2 days ago by  matthewponzio.
    #24663
     dom 
    Participant

    Thanks for the confirmation.. and the feedback, always appreciated :)

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?