How do I create a dedicated user for monitoring in DS (All versions)?
The purpose of this article is to provide assistance if you need to create a user for DS monitoring.
1 reader recommends this article
Overview
When installing DS, you are given the option to create a default user for querying monitoring information (see Install DS for Evaluation for further information). If you did not create a user at this stage, you can use one of the following options to create one post-install:
Once you have created your user/account, you can then enable the appropriate connection handler to expose the required monitoring endpoints:
After completing these steps, you will be ready to start monitoring using your user/account per the Monitoring.
Granting monitoring rights to an existing account
- Create an LDIF file to apply the ds-privilege-name: monitor-read to the user's entry, for example: $ cat monitor-read.ldif dn: uid=jdoe,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: monitor-read
- Apply the changes using the following ldapmodify command:
- DS 7.1 and later: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password monitor-read.ldif
- DS 7: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password monitor-read.ldif
- DS 6.x: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password monitor-read.ldif
- Verify the changes are applied, for example:
- DS 7.1 and later: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
- DS 7: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
Example response: objectClass: top objectClass: ds-monitor objectClass: ds-monitor-backend objectClass: ds-monitor-backend-pluggable objectClass: ds-monitor-backend-db ds-mon-backend-is-private: false ds-mon-backend-entry-count: 2002 ds-mon-backend-writability-mode: enabled ds-mon-backend-degraded-index-count: 0 ds-mon-backend-ttl-is-running: false ds-mon-backend-ttl-last-run-time: 20180809151924.210Z ds-mon-backend-ttl-thread-count: 0 ds-mon-backend-ttl-queue-size: 0 ds-mon-backend-ttl-entries-deleted: {"count":0,"total":0.000,"mean_rate":0.000,"m1_rate":0.000,"m5_rate":0.000,"m15_rate":0.000} ds-mon-backend-filter-use-start-time: 19700101000000Z ds-mon-backend-filter-use-indexed: 0 ds-mon-backend-filter-use-unindexed: 0 ds-mon-db-version: 7.5.11 ds-mon-db-cache-evict-internal-nodes-count: 0 ds-mon-db-cache-evict-leaf-nodes-count: 0 ds-mon-db-cache-total-tries-internal-nodes: 1045 ds-mon-db-cache-total-tries-leaf-nodes: 882 ds-mon-db-cache-misses-internal-nodes: 12 ds-mon-db-cache-misses-leaf-nodes: 70 ds-mon-db-cache-size-active: 3230029 ds-mon-db-log-size-active: 4604407 ds-mon-db-log-cleaner-file-deletion-count: 0 ds-mon-db-log-utilization-min: 56 ds-mon-db-log-utilization-max: 56 ds-mon-db-log-size-total: 4604407 ds-mon-db-log-files-open: 1 ds-mon-db-log-files-opened: 5 ds-mon-db-checkpoint-count: 0 ds-cfg-backend-id: userRoot
Creating a dedicated monitoring account
Note
To create a dedicated user, you can set up an LDIF backend and apply the privileges (which is what DS does during install if this option is selected):
- Create a directory for the user in the /path/to/ds/db directory (this is where the special users are created during install), for example: $ mkdir /path/to/ds/db/monitorUser
- Create an encoded password for the monitoring user, for example:
- DS 7 and later: $ ./encode-password -c password -s PBKDF2-HMAC-SHA256 {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa
- DS 6.x: $ ./encode-password -c password -s SSHA512 {SSHA512}NUhN2CulFulVLDDJo+6uZ2NhjSpkl2iFn2sRNgFvjnZM/0LddL3hXPAecLTALCYnKfE+64lXiWwBfPvgYJR+0fL1ojGvsruE
- Create an LDIF file that contains the monitoring user entry including the encoded password from step 2, for example: $ cat /path/to/ds/db/monitorUser/monitorUser.ldif dn: uid=Monitor objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: User cn: Monitor ds-privilege-name: monitor-read userPassword: {SSHA512}NUhN2CulFulVLDDJo+6uZ2NhjSpkl2iFn2sRNgFvjnZM/0LddL3hXPAecLTALCYnKfE+64lXiWwBfPvgYJR+0fL1ojGvsruE
- Create an LDIF backend:
- DS 7.1 and later: $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
- DS 7: $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
- DS 6.x $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
- Verify the monitoring user has read access to cn=monitor, for example:
- DS 7.1 and later: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
- DS 7: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
- DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
Example response: objectClass: top objectClass: ds-monitor objectClass: ds-monitor-backend objectClass: ds-monitor-backend-pluggable objectClass: ds-monitor-backend-db ds-mon-backend-is-private: false ds-mon-backend-entry-count: 2002 ds-mon-backend-writability-mode: enabled ds-mon-backend-degraded-index-count: 0 ds-mon-backend-ttl-is-running: false ds-mon-backend-ttl-last-run-time: 20180809151924.210Z ds-mon-backend-ttl-thread-count: 0 ds-mon-backend-ttl-queue-size: 0 ds-mon-backend-ttl-entries-deleted: {"count":0,"total":0.000,"mean_rate":0.000,"m1_rate":0.000,"m5_rate":0.000,"m15_rate":0.000} ds-mon-backend-filter-use-start-time: 19700101000000Z ds-mon-backend-filter-use-indexed: 0 ds-mon-backend-filter-use-unindexed: 0 ds-mon-db-version: 7.5.11 ds-mon-db-cache-evict-internal-nodes-count: 0 ds-mon-db-cache-evict-leaf-nodes-count: 0 ds-mon-db-cache-total-tries-internal-nodes: 1045 ds-mon-db-cache-total-tries-leaf-nodes: 882 ds-mon-db-cache-misses-internal-nodes: 12 ds-mon-db-cache-misses-leaf-nodes: 70 ds-mon-db-cache-size-active: 3230029 ds-mon-db-log-size-active: 4604407 ds-mon-db-log-cleaner-file-deletion-count: 0 ds-mon-db-log-utilization-min: 56 ds-mon-db-log-utilization-max: 56 ds-mon-db-log-size-total: 4604407 ds-mon-db-log-files-open: 1 ds-mon-db-log-files-opened: 5 ds-mon-db-checkpoint-count: 0 ds-cfg-backend-id: userRoot
See Also
How do I use cn=monitor entry in DS 6.x for monitoring?
Performance tuning and monitoring ForgeRock products
Related Training
N/A
Related Issue Tracker IDs
N/A