X

Integrating OUD in Monitoring Frameworks: Service Users

Guest Author

Oracle Unified Directory is an all-in-one directory solution with storage, proxy, synchronization and virtualization capabilities.

It can be monitored and integrated in various Monitoring Solutions including Oracle Enterprise Manager, via a dedicated plugin that provides performance monitoring of hundreds of directory metrics, raise alerts based on thresholds and provides rich out-of-the-box reports. By default, monitoring data are retrieved from OUD over LDAPS from the OUD administration port.

In order to use this method, it is recommended to define a dedicated directory user with read privilege on monitoring statistics and configuration. Such user can either be a so-called Root User or a Global Admin User. Root Users are local to a OUD instance and have some special privileges. Global Admin Users are quite similar to Root Users except that they are replicated across OUD servers, so this is more convenient if you want to monitor several OUD instances.

The following rights and privileges are required to access monitoring data and config:  Read access on cn=config and cn=monitor naming contexts and config-read privilege.

Root Users automatically inherit a bunch of default privileges, much more than what is strictly needed to monitor OUD, so unnecessary privileges must be removed and read access must be granted. To create a Root User called "cn=monitor" with sufficient privileges , do the following

./ldapmodify  -h <hostname> -p <adminport> \
-D "cn=Directory Manager" -w <password> -X --useSSL  <<EOF
dn : cn=monitor,cn=Root DNs,cn=config
changetype: add
objectclass: inetOrgPerson
objectclass: person
objectclass: ds-cfg-root-dn-user
objectclass: top
userPassword: <password>
ds-cfg-alternate-bind-dn: cn=monitor
cn: monitor
sn: monitor
EOF

Let's remove unnecessary privileges (basically all but config-read)


./ldapmodify  -h <hostname> -p <adminport> \

-D "cn=Directory Manager" -w <password> -X --useSSL <<EOF
dn : cn=monitor,cn=Root DNs,cn=config

changetype: modify

add: ds-privilege-name

ds-privilege-name: -config-write

ds-privilege-name: -modify-acl

ds-privilege-name: -ldif-import

ds-privilege-name: -ldif-export

ds-privilege-name: -backend-backup

ds-privilege-name: -backend-restore

ds-privilege-name: -server-shutdown

ds-privilege-name: -server-restart

ds-privilege-name: -disconnect-client

ds-privilege-name: -cancel-request

ds-privilege-name: -unindexed-search

ds-privilege-name: -password-reset

ds-privilege-name: -update-schema

ds-privilege-name: -privilege-change

ds-privilege-name: -bypass-acl
EOF

If you prefer to use Global Admin Users, do the following:


./ldapmodify  -h <hostname> -p <adminport> \ 
-D "cn=Directory Manager" -w <password> -X --useSSL <<EOF
dn : cn=monitor,cn=Administrators,cn=admin data
changetype: add
objectclass: person
objectclass: top
userPassword: <password>
cn: monitor
sn: monitor
EOF

Let's add config-read privilege:


./ldapmodify  -h <hostname> -p <adminport> -D "cn=Directory Manager" -w <password> -X -Z <<EOF
dn : cn=monitor,cn=Administrators,cn=admin data
changetype: modify
add: ds-privilege-name
ds-privilege-name: config-read

EOF

No matter what User type you choose to use, you need to grant read access to the config and the monitoring information using OUD global acis:
For Root Users, add the following acis using dsconfig: Start dsconfig, select Authentication and Authorization, then Access Control Handler and add the 2 following global acis:

(target="ldap:///cn=config")(targetattr="*")(version 3.0; acl "Monitor config access"; allow (read,search) \
userdn="ldap:///cn=monitor,cn=Root DNs,cn=config";)
(target="ldap:///cn=monitor")(targetattr="*")(version 3.0; acl "Monitor access"; allow (read,search) \
userdn="ldap:///cn=monitor,cn=Root DNs,cn=config";) 

For Global Admin Users, here are the corresponding acis:

(target="ldap:///cn=config")(targetattr="*")(version 3.0; acl "Monitor config access"; allow (read,search) \
userdn="ldap:///cn=monitor,cn=administrators,cn=admin data";)
(target="ldap:///cn=monitor")(targetattr="*")(version 3.0; acl "Monitor access"; allow (read,search) \
userdn="ldap:///cn=monitor,cn=administrators,cn=admin data";) 

At that stage, config and monitoring stats are available from the OUD admin port to the cn=monitor user (if you choose to use Root Users) or to cn=monitor,cn=administrators,cn=admin data (for Global Admins).:


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.