How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I create a dedicated user for monitoring in DS (All versions)?

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you need to create a user for DS monitoring.

1 reader recommends this article

Overview

When installing DS, you are given the option to create a default user for querying monitoring information (see Install DS for Evaluation for further information). If you did not create a user at this stage, you can use one of the following options to create one post-install:

Once you have created your user/account, you can then enable the appropriate connection handler to expose the required monitoring endpoints:

After completing these steps, you will be ready to start monitoring using your user/account per the Monitoring.

Granting monitoring rights to an existing account

To grant access to an existing user:

  1. Create an LDIF file to apply the ds-privilege-name: monitor-read to the user's entry, for example: $ cat monitor-read.ldif dn: uid=jdoe,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: monitor-read
  2. Apply the changes using the following ldapmodify command:
    • DS 7.1 and later: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password monitor-read.ldif
    • DS 7: $ ./ldapmodify --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password monitor-read.ldif
    • DS 6.x: $ ./ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password monitor-read.ldif
  3. Verify the changes are applied, for example:
    • DS 7.1 and later: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
    • DS 7: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
    • DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=jdoe,ou=People,dc=example,dc=com" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"

Example response: objectClass: top objectClass: ds-monitor objectClass: ds-monitor-backend objectClass: ds-monitor-backend-pluggable objectClass: ds-monitor-backend-db ds-mon-backend-is-private: false ds-mon-backend-entry-count: 2002 ds-mon-backend-writability-mode: enabled ds-mon-backend-degraded-index-count: 0 ds-mon-backend-ttl-is-running: false ds-mon-backend-ttl-last-run-time: 20180809151924.210Z ds-mon-backend-ttl-thread-count: 0 ds-mon-backend-ttl-queue-size: 0 ds-mon-backend-ttl-entries-deleted: {"count":0,"total":0.000,"mean_rate":0.000,"m1_rate":0.000,"m5_rate":0.000,"m15_rate":0.000} ds-mon-backend-filter-use-start-time: 19700101000000Z ds-mon-backend-filter-use-indexed: 0 ds-mon-backend-filter-use-unindexed: 0 ds-mon-db-version: 7.5.11 ds-mon-db-cache-evict-internal-nodes-count: 0 ds-mon-db-cache-evict-leaf-nodes-count: 0 ds-mon-db-cache-total-tries-internal-nodes: 1045 ds-mon-db-cache-total-tries-leaf-nodes: 882 ds-mon-db-cache-misses-internal-nodes: 12 ds-mon-db-cache-misses-leaf-nodes: 70 ds-mon-db-cache-size-active: 3230029 ds-mon-db-log-size-active: 4604407 ds-mon-db-log-cleaner-file-deletion-count: 0 ds-mon-db-log-utilization-min: 56 ds-mon-db-log-utilization-max: 56 ds-mon-db-log-size-total: 4604407 ds-mon-db-log-files-open: 1 ds-mon-db-log-files-opened: 5 ds-mon-db-checkpoint-count: 0 ds-cfg-backend-id: userRoot

Creating a dedicated monitoring account

Note

The LDIF backend for the new monitoring user is not replicated; you must create a separate monitoring user on each replica where a monitoring user is required.

To create a dedicated user, you can set up an LDIF backend and apply the privileges (which is what DS does during install if this option is selected):

  1. Create a directory for the user in the /path/to/ds/db directory (this is where the special users are created during install), for example: $ mkdir /path/to/ds/db/monitorUser
  2. Create an encoded password for the monitoring user, for example:
    • DS 7 and later: $ ./encode-password -c password -s PBKDF2-HMAC-SHA256 {PBKDF2-HMAC-SHA256}10:Hy+ZwmElbGT4va+Yb84LoIffAJVKXzVIY7XrFzdKxFl5rOB/j9y+9pwdub8rwfVa
    • DS 6.x: $ ./encode-password -c password -s SSHA512 {SSHA512}NUhN2CulFulVLDDJo+6uZ2NhjSpkl2iFn2sRNgFvjnZM/0LddL3hXPAecLTALCYnKfE+64lXiWwBfPvgYJR+0fL1ojGvsruE
  3. Create an LDIF file that contains the monitoring user entry including the encoded password from step 2, for example: $ cat /path/to/ds/db/monitorUser/monitorUser.ldif dn: uid=Monitor objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson sn: User cn: Monitor ds-privilege-name: monitor-read userPassword: {SSHA512}NUhN2CulFulVLDDJo+6uZ2NhjSpkl2iFn2sRNgFvjnZM/0LddL3hXPAecLTALCYnKfE+64lXiWwBfPvgYJR+0fL1ojGvsruE
  4. Create an LDIF backend:
    • DS 7.1 and later: $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • DS 6.x $ ./dsconfig create-backend --set base-dn:uid=Monitor --set enabled:true --set ldif-file:/path/to/ds/db/monitorUser/monitorUser.ldif --type ldif --backend-name monitorUser --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-prompt
  5. Verify the monitoring user has read access to cn=monitor, for example:
    • DS 7.1 and later: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
    • DS 7: $ ./ldapsearch --hostname --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"
    • DS 6.x: $ ./ldapsearch --port 1389 --bindDN "uid=Monitor" --bindPassword password --baseDN cn=monitor "(ds-cfg-backend-id=userRoot)"

Example response: objectClass: top objectClass: ds-monitor objectClass: ds-monitor-backend objectClass: ds-monitor-backend-pluggable objectClass: ds-monitor-backend-db ds-mon-backend-is-private: false ds-mon-backend-entry-count: 2002 ds-mon-backend-writability-mode: enabled ds-mon-backend-degraded-index-count: 0 ds-mon-backend-ttl-is-running: false ds-mon-backend-ttl-last-run-time: 20180809151924.210Z ds-mon-backend-ttl-thread-count: 0 ds-mon-backend-ttl-queue-size: 0 ds-mon-backend-ttl-entries-deleted: {"count":0,"total":0.000,"mean_rate":0.000,"m1_rate":0.000,"m5_rate":0.000,"m15_rate":0.000} ds-mon-backend-filter-use-start-time: 19700101000000Z ds-mon-backend-filter-use-indexed: 0 ds-mon-backend-filter-use-unindexed: 0 ds-mon-db-version: 7.5.11 ds-mon-db-cache-evict-internal-nodes-count: 0 ds-mon-db-cache-evict-leaf-nodes-count: 0 ds-mon-db-cache-total-tries-internal-nodes: 1045 ds-mon-db-cache-total-tries-leaf-nodes: 882 ds-mon-db-cache-misses-internal-nodes: 12 ds-mon-db-cache-misses-leaf-nodes: 70 ds-mon-db-cache-size-active: 3230029 ds-mon-db-log-size-active: 4604407 ds-mon-db-log-cleaner-file-deletion-count: 0 ds-mon-db-log-utilization-min: 56 ds-mon-db-log-utilization-max: 56 ds-mon-db-log-size-total: 4604407 ds-mon-db-log-files-open: 1 ds-mon-db-log-files-opened: 5 ds-mon-db-checkpoint-count: 0 ds-cfg-backend-id: userRoot

See Also

How do I use cn=monitor entry in DS 6.x for monitoring?

FAQ: Monitoring DS

Performance tuning and monitoring ForgeRock products

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.