Chapter 13

Monitoring Directory Server Using SNMP

---

The server and database activity monitoring log setup described in Chapter 12, "Monitoring Server and Database Activity," is specific to Red Hat Directory Server (Directory Server). You can also monitor your Directory Server using the Simple Network Management Protocol (SNMP), which is a management protocol used for monitoring network activity which can be used to monitor a wide range of devices in real time.

SNMP has become interoperable on account of its widespread popularity. It is this interoperability, combined with the fact that SNMP can take on numerous jobs specific to a whole range of different device classes, that make SNMP the ideal standard mechanism for global network control and monitoring. SNMP allows network administrators to unify all network monitoring activities, with Directory Server monitoring part of the broader picture.

SNMP statistic reporting is available via a Net-SNMP subagent. The subagent will send traps, as well as report various statistics about your monitored Directory Server instances.

This chapter contains the following sections:

• About SNMP (page 476)
• Configuring the Master Agent (page 476)
• Configuring the Subagent (page 477)
• Configuring the Directory Server for SNMP (page 479)
• Using the Management Information Base (page 479)

About SNMP

SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management application (NMS) where users remotely manage the network. A managed device is anything that runs SNMP, such as hosts, routers, and your Directory Server. An NMS is usually a powerful workstation with one or more network management applications installed. A network management application graphically shows information about managed devices, which device is up or down, which and how many error messages were received, and so on.

Information is transferred between the NMS and the managed device through the use of two types of agents: the subagent and the master agent. The subagent gathers information about the managed device and passes the information to the master agent. Directory Server has a subagent. The master agent exchanges information between the various subagents and the NMS. The master agent runs on the same host machine as the subagents it talks to.

You can have multiple subagents installed on a host machine. For example, if you have Directory Server and a messaging server all installed on the same host, the subagents for both of these servers communicate with the same master agent.

Values for SNMP attributes, otherwise known as variables, that can be queried are kept on the managed device and reported to the NMS as necessary. Each variable is known as a managed object, which is anything the agent can access and send to the NMS. All managed objects are defined in a management information base (MIB), which is a database with a tree-like hierarchy. The top level of the hierarchy contains the most general information about the network. Each branch underneath is more specific and deals with separate network areas.

SNMP exchanges network information in the form of protocol data unit (PDUs). PDUs contain information about variables stored on the managed device. These variables, also known as managed objects, have values and titles that are reported to the NMS as necessary. Communication between an NMS and a managed device takes place either by the NMS sending updates or requesting information or by the managed object sending a notice or warning, called a trap, when a server shuts down or starts up.

Configuring the Master Agent

To use the subagent, you must have a Net-SNMP v5.21 master agent running on your system. You can download the Net-SNMP Master Agent from the Net-SNMP website (http://www.net-snmp.org).

The SNMP subagent included with Directory Server uses the AgentX protocol to communicate with the SNMP master agent running on your system. You must make sure that you enable AgentX support on your master agent. This is typically done by adding a line containing agentx master in the master agent's snmpd.conf file. For more details on configuring the master agent for AgentX support, refer to the Net-SNMP website (http://www.net-snmp.org).

Configuring the Subagent

The Directory Server SNMP subagent is located in server_root/bin/slapd/server/ldap-agent.

Subagent Configuration File

To use your subagent, you must first create a subagent configuration file. You can name this file whatever you like, and place it wherever you like. This configuration file is used to specify how to communicate with your master agent, logfile location, and which Directory Server instances to monitor.

agentx-master

The agentx-master setting tells the subagent how to communicate with the SNMP master agent. If this setting is not specified, the subagent will try to communicate the the master agent via the Unix domain socket /var/agentx/master. This is also where the Net-SNMP master agent listens for AgentX communications by default. If you configured your master agent to listen on a different Unix domain socket, you must use the agentx-master setting for your subagent to communicate with your master agent. If your master agent were listening on /var/snmp/agenx, the agentx-master setting would be agentx-master /var/snmp/agentx. Make sure that the user as whom you are running the subagent has the appropriate permissions to write to this socket.

If the master agent is listening for AgentX communications on a TCP port, you would have an agentx-master setting of agentx-master localhost:705.

agentx-logdir

The agent-logdir setting specifies the directory where you want the subagent to write its logfile. For example:

agentx-logdir /var/log
 

If this parameter is not specified, the agent will write its logfile to the same location as your subagent configuration file. The logfile will be named ldap-agent.log.

Make sure that the user as whom your subagent is running has write permission to this directory.

server

The server setting specifes a Directory Server instance that you want to monitor. You must use one server setting for each Directory Server instance. The subagent requires at least one server setting to be specified in its configuration file. The server setting should be set to the absolute path to the log directory of the Directory Server instance you would like to monitor. For example:

server /opt/redhat-ds/slapd-phonebook/logs
 

Make sure that the user as whom you are running your subagent has read permission to this directory.

Starting the Subagent

Once your master agent is running and you have created your subagent configuration file, you are ready to start the subagent. To start your subagent, you must run the ldap-agent program, specifying your subagent configuration file as an argument. You must supply the absolute path to the configuration file:

./ldapagent /opt/redhat-ds/ldap-agent.conf
 

If you want to enable extra debug logging, you can specify the -D option during startup:

./ldapagent -D /opt/redhat-ds/ldap-agent.conf
 

To stop your subagent, you must use the kill command against its process ID. Your subagent will print its process ID in its logfile, or you can run ps -ef | grep ldap-agent to find the process ID.

Testing the Subagent

To test your subagent, you can use the Net-SNMP toolkit command-line utilities, such as snmpwalk and snmpget. In order for these tools to display variable names for the Directory Server, you must configure them to load the Directory Server's MIB file. The Directory Server's MIB file is located in server_root/plugins/snmp directory. There are some additional common required MIB files located in server_root/plugins/snmp/mibs if you don't already have them. For details on configuring and using the Net-SNMP command-line tools, refer to the Net-SNMP website, http://www.net-snmp.org.

Configuring the Directory Server for SNMP

By default, the SNMP statics collection is enabled in the Directory Server. Using the Console, you can disable SNMP for a Directory Server instance or add SNMP management information. To configure SNMP settings from the Directory Server Console:

1. Select the Configuration tab, and then select the topmost entry in the navigation tree in the left pane.
2. Select the SNMP tab in the right pane.
3. Select the "Enable Statistics Collection" checkbox to enable Directory Server statistics collection. Clear the checkbox to disable it.
4. Enter a description that uniquely describes the directory instance in the Description text box.
5. Type the name the company or organization to which the directory belongs in the Organization text box.
6. Type the location within the company or organization where the directory resides in the Location text box.
7. Type the email address of the person responsible for maintaining the directory in the Contact text box.
8. Click Save.

Using the Management Information Base

The Directory Server's MIB is a file called redhat-directory.mib. This MIB contains definitions for variables pertaining to network management for the directory. These variables are known as managed objects. Using the directory MIB and Net-SNMP, you can monitor your directory like all other managed devices on your network. For more information on using the MIB, see "Testing the Subagent," on page 478.

You can see administrative information about your directory and monitor the server in real-time using the directory MIB. The directory MIB is broken into three distinct tables of managed objects:

• Operations Table
• Entries Table
• Interaction Table

Note	Before you can use the directory's MIB, you must compile it along with the MIBs that you will find in the default location serverRoot/plugins/snmp/mibs

Operations Table

The Operations Table provides statistical information about Directory Server access, operations, and errors. describes the managed objects stored in the Operations Table of the redhat-directory.mib file.

Table 13-1 Operations - Managed Objects and Descriptions  

Managed Object	Description
dsAnonymousBinds	The number of anonymous binds to the directory since server startup.
dsUnauthBinds	The number of unauthenticated binds to the directory since server startup.
dsSimpleAuthBinds	The number of binds to the directory that were established using a simple authentication method (such as password protection) since server startup.
dsStrongAuthBinds	The number of binds to the directory that were established using a strong authentication method (such as SSL or a SASL mechanism like Kerberos) since server startup.
dsBindSecurityErrors	The number of bind requests that have been rejected by the directory due to authentication failures or invalid credentials since server startup.
dsInOps	The number of operations forwarded to this directory from another directory since server startup.
dsReadOps	The number of read operations serviced by this directory since application start. The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation.
dsCompareOps	The number of compare operations serviced by this directory since server startup.
dsAddEntryOps	The number of add operations serviced by this directory since server startup.
dsRemoveEntryOps	The number of delete operations serviced by this directory since server startup.
dsModifyEntryOps	The number of modify operations serviced by this directory since server startup.
dsModifyRDNOps	The number of modify RDN operations serviced by this directory since server startup.
dsListOps	The number of list operations serviced by this directory since server startup. The value of this object will always be 0 because LDAP implements list operations indirectly via the search operation.
dsSearchOps	The total number of search operations serviced by this directory since server startup.
dsOneLevelSearchOps	The number of one-level search operations serviced by this directory since server startup.
dsWholeSubtreeSearchOps	The number of whole subtree search operations serviced by this directory since server startup.
dsReferrals	The number of referrals returned by this directory in response to client requests since server startup.
dsSecurityErrors	The number of operations forwarded to this directory that did not meet security requirements.
dsErrors	The number of requests that could not be serviced due to errors (other than security or referral errors). Errors include name errors, update errors, attribute errors, and service errors. Partially serviced requests will not be counted as an error.

Entries Table

The Entries Table provides information about the contents of the directory entries. Table 13-2 describes the managed objects stored in the Entries Table in the redhat-directory.mib file.

Table 13-2 Entries - Managed Objects and Descriptions  

Managed Object	Description
dsMasterEntries	The number of directory entries for which this directory contains the master entry. The value of this object will always be 0 (as no updates are currently performed).
dsCopyEntries	The number of directory entries for which this directory contains a copy. The value of this object will always be 0 (as no updates are currently performed).
dsCacheEntries	The number of entries cached in the directory.
dsCacheHits	The number of operations serviced from the locally held cache since application startup.
dsSlaveHits	The number of operations that were serviced from locally held replications (shadow entries). The value of this object will always be 0.

Interaction Table

The Interaction Table provides statistical information about the interaction of this Directory Server with peer Directory Servers. This table:

• Contains statistical information for the last five Directory Servers with which this Directory Server has attempted to communicate.
• Provides useful information about how the interaction with peer Directory Servers affects the performance of this Directory Server.

Table 13-3 describes the managed objects stored in the Interaction Table of the redhat-directory.mib file.

Table 13-3 Interaction - Managed Objects and Descriptions  

Managed Object	Description
dsIntTable	Each row of this table contains some details related to the history of the interaction of the monitored Directory Servers with their respective peer Directory Servers.
dsIntEntry	The entry containing interaction details of a Directory Server with a peer Directory Server.
dsIntIndex	Together with applIndex, it forms the unique key to identify the conceptual row which contains useful information on the (attempted) interaction between the Directory Server (referred to by applIndex) and a peer Directory Server.
dsName	The distinguished name (DN) of the peer Directory Server to which this entry belongs.
dsTimeOfCreation	The value of sysUpTime when this row was created. If the entry was created before the network management subsystem was initialized, this object will contain a value of zero.
dsTimeOfLastAttempt	The value of sysUpTime when the last attempt was made to contact this Directory Server. If the last attempt was made before the network management subsystem was initialized, this object will contain a value of zero.
dsTimeOfLastSuccess	The value of sysUpTime when the last attempt made to contact this Directory Server was successful. This entry will have a value of zero if there have been no successful attempts or if the last successful attempt was made before the network management subsystem was initialized.
dsFailuresSinceLastSuccess	The number of failures since the last time an attempt to contact this Directory Server was successful. If there has been no successful attempts, this counter will contain the number of failures since this entry was created.
dsFailures	Cumulative failures since the creation of this entry.
dsSuccesses	Cumulative successes since the creation of this entry.
dsURL	The URL of the Directory Server application.