Docker-openldap: Add custom database in slapd.conf

Created on 22 Nov 2019  路  2Comments  路  Source: osixia/docker-openldap

I need to get metrics from this openldap, and I need to load monitor backend/database. I need to add these in slapd.conf:

database monitor rootdn "cn=monitoring,cn=Monitor" rootpw YOUR_MONITORING_ROOT_PASSWORD

As far as I know, slapd.conf is not used and in this case, how can I achieve this?
I need to add custom ldif?

P.S: I'm using this for getting metrics: https://github.com/tomcz/openldap_exporter

Most helpful comment

Thank you. I finally made it working and I post here for others in case someone will have to do something similar.

I had to create custom ldifs for loading monitor backend, adding monitor user (user used for binding when ldapsearch for monitoring purpose) and loading monitor database

load monitor backend ldif:

dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}back_monitor

add user (I used an ansible role here for adding users instead of ldif)
- name: Add Monitoring User ldap_entry: dn: cn=monitor,dc=myCompany,dc=com objectClass: - simpleSecurityObject - organizationalRole attributes: cn: monitor description: LDAP monitoring userpassword: "somePass" params: "{{ ldap_auth }}"

load monitor database ldif:
dn: olcDatabase={2}Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: {2}Monitor olcAccess: {0}to dn.subtree="cn=Monitor" by dn.base="cn=monitor,dc=myCompany,dc=com" read by * none

Put these files in a folder (like /opt/openldap/ldif) and mount it to container:

volumes:
- "/opt/openldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom"

Monitoring is loaded now and can be fetched via ldapsearch. More details on this link:
https://blog.kmp.or.at/monitoring-openldap/
ans this https://serverfault.com/questions/866759/openldap-monitor-access-acl-not-working

I think this issue should be closed. Perhaps is a good ideea to write something relevant to the README file with the instructions for enabling monitoring? Or just prepare a new version to make things easier and add some ENV like "ENABLE_MONITORING=true/false"?

All 2 comments

@alxArad from the Prometheus exporter page you are referencing, you can also find some interesting links like http://www.openldap.org/doc/admin24/backends.html#Monitor which gives you the ldif entries to be used

Further more this other link might also be useful to add the monitor module

However, section 20.1 of the OpenLDAP admin guide would have been of much more use

HTH though

Thank you. I finally made it working and I post here for others in case someone will have to do something similar.

I had to create custom ldifs for loading monitor backend, adding monitor user (user used for binding when ldapsearch for monitoring purpose) and loading monitor database

load monitor backend ldif:

dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {4}back_monitor

add user (I used an ansible role here for adding users instead of ldif)
- name: Add Monitoring User ldap_entry: dn: cn=monitor,dc=myCompany,dc=com objectClass: - simpleSecurityObject - organizationalRole attributes: cn: monitor description: LDAP monitoring userpassword: "somePass" params: "{{ ldap_auth }}"

load monitor database ldif:
dn: olcDatabase={2}Monitor,cn=config objectClass: olcDatabaseConfig objectClass: olcMonitorConfig olcDatabase: {2}Monitor olcAccess: {0}to dn.subtree="cn=Monitor" by dn.base="cn=monitor,dc=myCompany,dc=com" read by * none

Put these files in a folder (like /opt/openldap/ldif) and mount it to container:

volumes:
- "/opt/openldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom"

Monitoring is loaded now and can be fetched via ldapsearch. More details on this link:
https://blog.kmp.or.at/monitoring-openldap/
ans this https://serverfault.com/questions/866759/openldap-monitor-access-acl-not-working

I think this issue should be closed. Perhaps is a good ideea to write something relevant to the README file with the instructions for enabling monitoring? Or just prepare a new version to make things easier and add some ENV like "ENABLE_MONITORING=true/false"?

Was this page helpful?
0 / 5 - 0 ratings