# $OpenLDAP$
-# Copyright 1999, The OpenLDAP Foundation, All Rights Reserved.
+# Copyright 1999-2008 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
-H1: Monitoring Slapd
-
-Slapd supports a monitoring interface you can use to find out
-many useful bits of information about what slapd is currently
-doing, how many connections it has, how many threads are
-working, etc. You can access the monitor feature by doing a
-base object search of the SLAPD_MONITOR_DN from
-include/ldapconfig.h with any kind of valid filter (e.g.,
-"(objectclass=*)"). By default, this DN is set to "cn=monitor".
-You will get one entry returned to you, with the following
+H1: Monitoring
+
+{{slapd}}(8) supports an optional {{TERM:LDAP}} monitoring interface
+you can use to obtain information regarding the current state of
+your {{slapd}} instance. For instance, the interface allows you
+to determine how many clients are connected to the server currently.
+The monitoring information is provided by a specialized backend,
+the {{monitor}} backend. A manual page, {{slapd-monitor}}(5) is
+available.
+
+When the monitoring interface is enabled, LDAP clients may be used
+to access information provided by the {{monitor}} backend, subject
+to access and other controls.
+
+When enabled, the {{monitor}} backend dynamically generates and
+returns objects in response to search requests in the {{cn=Monitor}}
+subtree. Each object contains information about a particular aspect
+of the server. The information is held in a combination of user
+applications and operational attributes. This information can be
+access with {{ldapsearch(1)}}, with any general-purpose LDAP browser,
+or with specialized monitoring tools. The {{SECT:Accessing Monitoring
+Information}} section provides a brief tutorial on how to use
+{{ldapsearch}}(1) to access monitoring information, while the
+{{SECT:Monitor information}} section details monitoring information
+base and its organization.
+
+While support for the monitor backend is included in default builds
+of slapd(8), this support requires some configuration to become
+active. This may be done using either {{EX:cn=config}} or
+{{slapd.conf}}(5). The former is discussed in the {{SECT:Monitor
+configuration via cn=config}} section of this of this chapter. The
+latter is discussed in the {{SECT:Monitor configuration via
+slapd.conf(5)}} section of this chapter. These sections assume
+monitor backend is built into {{slapd}} (e.g., {{EX:--enable-monitor=yes}},
+the default). If the monitor backend was built as a module (e.g.,
+{{EX:--enable-monitor=mod}}, this module must loaded. Loading of
+modules is discussed in the {{SECT:Configuring slapd}} and {{SECT:The
+slapd Configuration File}} chapters.
+
+
+H2: Monitor configuration via cn=config(5)
+
+{{This section has yet to be written.}}
+
+
+H2: Monitor configuration via slapd.conf(5)
+
+Configuration of the slapd.conf(5) to support LDAP monitoring
+is quite simple.
+
+First, ensure {{core.schema}} schema configuration file is included
+by your {{slapd.conf}}(5) file. The {{monitor}} backend requires
+it.
+
+Second, instantiate the {{monitor backend}} by adding a
+{{database monitor}} directive below your existing database
+sections. For instance:
+
+> database monitor
+
+Lastly, add additional global or database directives as needed.
+
+Like most other database backends, the monitor backend does honor
+slapd(8) access and other administrative controls. As some monitor
+information may be sensitive, it is generally recommend access to
+cn=monitor be restricted to directory administrators and their
+monitoring agents. Adding an {{access}} directive immediately below
+the {{database monitor}} directive is a clear and effective approach
+for controlling access. For instance, the addition of the following
+{{access}} directive immediately below the {{database monitor}}
+directive restricts access to monitoring information to the specified
+directory manager.
+
+> access to *
+> by dn.exact="cn=Manager,dc=example,dc=com
+> by * none
+
+More information on {{slapd}}(8) access controls, see {{The access
+Control Directive}} section of the {{SECT:The slapd Configuration
+File}} chapter and {{slapd.access}}(5).
+
+After restarting {{slapd}}(8), you are ready to start exploring the
+monitoring information provided in {{EX:cn=config}} as discussed
+in the {{SECT:Accessing Monitoring Information}} section of this
+chapter.
+
+One can verify slapd(8) is properly configured to provide monitoring
+information by attempting to read the {{EX:cn=monitor}} object.
+For instance, if the following {{ldapsearch}}(1) command returns the
+cn=monitor object (with, as requested, no attributes), it's working.
+
+> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
+> -b 'cn=Monitor' -s base 1.1
+
+Note that unlike general purpose database backends, the database
+suffix is hardcoded. It's always {{EX:cn=Monitor}}. So no {{suffix}}
+directive should be provided. Also note that general purpose
+database backends, the monitor backend cannot be instantiated
+multiple times. That is, there can only be one (or zero) occurrences
+of {{EX:database monitor}} in the server's configuration.
+
+
+H2: Accessing Monitoring Information
+
+As previously discussed, when enabled, the {{monitor}} backend
+dynamically generates and returns objects in response to search
+requests in the {{cn=Monitor}} subtree. Each object contains
+information about a particular aspect of the server. The information
+is held in a combination of user applications and operational
+attributes. This information can be access with {{ldapsearch(1)}},
+with any general-purpose LDAP browser, or with specialized monitoring
+tools.
+
+This section provides a provides a brief tutorial on how to use
+{{ldapsearch}}(1) to access monitoring information.
+
+To inspect any particular monitor object, one performs search
+operation on the object with a baseObject scope and a
+{{EX:(objectClass=*)}} filter. As the monitoring information is
+contained in a combination of user applications and operational
+attributes, the return all user applications attributes (e.g.,
+{{EX:'*'}}) and all operational attributes (e.g., {{EX:'+'}}) should
+be requested. For instance, to read the {{EX:cn=Monitor}} object
+itself, the {{ldapsearch}}(1) command (modified to fit your configuration)
+can be used:
+
+> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
+> -b 'cn=Monitor' -s base '(objectClass=*)' '*' '+'
+
+When run against your server, this should produce output
+similar to:
+
+> dn: cn=Monitor
+> objectClass: monitorServer
+> structuralObjectClass: monitorServer
+> cn: Monitor
+> creatorsName:
+> modifiersName:
+> createTimestamp: 20061208223558Z
+> modifyTimestamp: 20061208223558Z
+> description: This subtree contains monitoring/managing objects.
+> description: This object contains information about this server.
+> description: Most of the information is held in operational attributes, which
+> must be explicitly requested.
+> monitoredInfo: OpenLDAP: slapd 2.4 (Dec 7 2006 17:30:29)
+> entryDN: cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: TRUE
+
+To reduce the number of uninteresting attributes returned, one
+can be more selective when requesting which attributes are to be
+returned. For instance, one could request the return of all
+attributes allowed by the {{monitorServer}} object class (e.g.,
+{{EX:@objectClass}}) instead of all user and all operational
attributes:
-E: version: slapd <version> (<date>)
+> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W \
+> -b 'cn=Monitor' -s base '(objectClass=*)' '@monitorServer'
+
+This limits the output as follows:
+
+> dn: cn=Monitor
+> objectClass: monitorServer
+> cn: Monitor
+> description: This subtree contains monitoring/managing objects.
+> description: This object contains information about this server.
+> description: Most of the information is held in operational attributes, which
+> must be explicitly requested.
+> monitoredInfo: OpenLDAP: slapd 2.X (Dec 7 2006 17:30:29)
+
+To return the names of all the monitoring objects, one performs a
+search of {{EX:cn=Monitor}} with subtree scope and {{EX:(objectClass=*)}}
+filter and requesting no attributes (e.g., {{EX:1.1}}) be returned.
+
+> ldapsearch -x -D 'cn=Manager,dc=example,dc=com' -W -b 'cn=Monitor' -s sub 1.1
+
+If you run this command you will discover that there are many objects
+in the {{cn=Monitor}} subtree. The following section describes
+some of the commonly available monitoring objects.
+
+
+H2: Monitor Information
+
+The {{monitor}} backend provides a wealth of information useful
+for monitoring the slapd(8) contained in set of monitor objects.
+Each object contains information about a particular aspect of
+the server, such as a backends, a connection, or a thread.
+Some objects serve as containers for other objects and used
+to construct a hierarchy of objects.
+
+In this hierarchy, the most superior object is {cn=Monitor}.
+While this object primarily serves as a container for other
+objects, most of which are containers, this object provides
+information about this server. In particular, it provides the
+slapd(8) version string. Example:
+
+> dn: cn=Monitor
+> monitoredInfo: OpenLDAP: slapd 2.X (Dec 7 2006 17:30:29)
+
+Note: Examples in this section (and its subsections) have been
+trimmed to show only key information.
+
+
+H3: Backends
+
+The {{EX:cn=Backends,cn=Monitor}} object, itself, provides a list
+of available backends. The list of available backends all builtin
+backends, as well as backends loaded by modules. For example:
+
+> dn: cn=Backends,cn=Monitor
+> monitoredInfo: config
+> monitoredInfo: ldif
+> monitoredInfo: monitor
+> monitoredInfo: bdb
+> monitoredInfo: hdb
+
+This indicates the {{config}}, {{ldif}}, {{monitor}}, {{bdb}},
+and {{hdb}} backends are available.
+
+The {{EX:cn=Backends,cn=Monitor}} object is also a container
+for available backend objects. Each available backend object
+contains information about a particular backend. For example:
+
+> dn: cn=Backend 0,cn=Backends,cn=Monitor
+> monitoredInfo: config
+> monitorRuntimeConfig: TRUE
+> supportedControl: 2.16.840.1.113730.3.4.2
+> seeAlso: cn=Database 0,cn=Databases,cn=Monitor
+>
+> dn: cn=Backend 1,cn=Backends,cn=Monitor
+> monitoredInfo: ldif
+> monitorRuntimeConfig: TRUE
+> supportedControl: 2.16.840.1.113730.3.4.2
+>
+> dn: cn=Backend 2,cn=Backends,cn=Monitor
+> monitoredInfo: monitor
+> monitorRuntimeConfig: TRUE
+> supportedControl: 2.16.840.1.113730.3.4.2
+> seeAlso: cn=Database 2,cn=Databases,cn=Monitor
+>
+> dn: cn=Backend 3,cn=Backends,cn=Monitor
+> monitoredInfo: bdb
+> monitorRuntimeConfig: TRUE
+> supportedControl: 1.3.6.1.1.12
+> supportedControl: 2.16.840.1.113730.3.4.2
+> supportedControl: 1.3.6.1.4.1.4203.666.5.2
+> supportedControl: 1.2.840.113556.1.4.319
+> supportedControl: 1.3.6.1.1.13.1
+> supportedControl: 1.3.6.1.1.13.2
+> supportedControl: 1.3.6.1.4.1.4203.1.10.1
+> supportedControl: 1.2.840.113556.1.4.1413
+> supportedControl: 1.3.6.1.4.1.4203.666.11.7.2
+> seeAlso: cn=Database 1,cn=Databases,cn=Monitor
+>
+> dn: cn=Backend 4,cn=Backends,cn=Monitor
+> monitoredInfo: hdb
+> monitorRuntimeConfig: TRUE
+> supportedControl: 1.3.6.1.1.12
+> supportedControl: 2.16.840.1.113730.3.4.2
+> supportedControl: 1.3.6.1.4.1.4203.666.5.2
+> supportedControl: 1.2.840.113556.1.4.319
+> supportedControl: 1.3.6.1.1.13.1
+> supportedControl: 1.3.6.1.1.13.2
+> supportedControl: 1.3.6.1.4.1.4203.1.10.1
+> supportedControl: 1.2.840.113556.1.4.1413
+> supportedControl: 1.3.6.1.4.1.4203.666.11.7.2
+
+For each of these objects, monitorInfo indicates which backend the
+information in the object is about. For instance, the {{EX:cn=Backend
+3,cn=Backends,cn=Monitor}} object contains (in the example) information
+about the {{bdb}} backend.
+
+!block table
+Attribute|Description
+monitoredInfo|Name of backend
+supportedControl|supported LDAP control extensions
+seeAlso|Database objects of instances of this backend
+!endblock
+
+H3: Connections
+
+The main entry is empty; it should contain some statistics on the number
+of connections.
+
+Dynamic child entries are created for each open connection, with stats on
+the activity on that connection (the format will be detailed later).
+There are two special child entries that show the number of total and
+current connections respectively.
+
+For example:
+
+Total Connections:
+
+> dn: cn=Total,cn=Connections,cn=Monitor
+> structuralObjectClass: monitorCounterObject
+> monitorCounter: 4
+> entryDN: cn=Total,cn=Connections,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+Current Connections:
+
+> dn: cn=Current,cn=Connections,cn=Monitor
+> structuralObjectClass: monitorCounterObject
+> monitorCounter: 2
+> entryDN: cn=Current,cn=Connections,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+
+H3: Databases
+
+The main entry contains the naming context of each configured database;
+the child entries contain, for each database, the type and the naming
+context.
+
+For example:
+
+> dn: cn=Database 2,cn=Databases,cn=Monitor
+> structuralObjectClass: monitoredObject
+> monitoredInfo: monitor
+> monitorIsShadow: FALSE
+> monitorContext: cn=Monitor
+> readOnly: FALSE
+> entryDN: cn=Database 2,cn=Databases,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+H3: Listener
+
+It contains the description of the devices the server is currently
+listening on:
+
+> dn: cn=Listener 0,cn=Listeners,cn=Monitor
+> structuralObjectClass: monitoredObject
+> monitorConnectionLocalAddress: IP=0.0.0.0:389
+> entryDN: cn=Listener 0,cn=Listeners,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+
+H3: Log
+
+It contains the currently active log items. The {{Log}} subsystem allows
+user modify operations on the {{description}} attribute, whose values {{MUST}}
+be in the list of admittable log switches:
+
+> Trace
+> Packets
+> Args
+> Conns
+> BER
+> Filter
+> Config
+> ACL
+> Stats
+> Stats2
+> Shell
+> Parse
+> Sync
-This attribute identifies the slapd server software by name,
-version, and build date, e.g., {{EX: slapd 3.3 (Thu May 21 14:19:03
-EDT 1996)}}
+These values can be added, replaced or deleted; they affect what
+messages are sent to the syslog device.
+Custom values could be added by custom modules.
-E: threads: <integer>
+H3: Operations
-This attribute indicates the number of threads (operations)
-currently outstanding in slapd.
+It shows some statistics on the operations performed by the server:
-E: connection: <fd> : <opentime> : <opsinitiated> :
-E: <opscompleted> : <binddn> : [ <rw> ]
+> Initiated
+> Completed
-This multi-valued attribute summarizes information for each
-open connection. The information given is {{EX: <fd>}}, the file
-descriptor; {{EX: <opentime>}}, the time the connection was opened
-in UTC format; {{EX: <opsinitiated>}}, the number of operations
-initiated over the connection; {{EX: <opscompleted>}}, the number
-of operations completed over the connection; {{EX: <binddn>}}, the
-DN currently bound to the connection; and optionally {{EX: <rw>}},
-indicating whether the connection is currently blocked for
-read or write..
+and for each operation type, i.e.:
-E: currentconnections: <integer>
+> Bind
+> Unbind
+> Add
+> Delete
+> Modrdn
+> Modify
+> Compare
+> Search
+> Abandon
+> Extended
-The current number of connections.
+There are too many types to list example here, so please try for yourself
+using {{SECT: Monitor search example}}
-E: totalconnections: <integer>
+H3: Overlays
-The total number of connections handled by slapd since it
-started.
+The main entry contains the type of overlays available at run-time;
+the child entries, for each overlay, contain the type of the overlay.
-E: dtablesize: <integer>
+It should also contain the modules that have been loaded if dynamic
+overlays are enabled:
-The size of slapd's file descriptor table.
+> # Overlays, Monitor
+> dn: cn=Overlays,cn=Monitor
+> structuralObjectClass: monitorContainer
+> monitoredInfo: syncprov
+> monitoredInfo: accesslog
+> monitoredInfo: glue
+> entryDN: cn=Overlays,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: TRUE
-E: writewaiters: <integer>
+H3: SASL
-The number of threads blocked waiting to write data to a
-client.
+Currently empty.
-E: readwaiters: <integer>
+H3: Statistics
-The number of threads blocked waiting to read data from a
-client.
+It shows some statistics on the data sent by the server:
-E: opsinitiated: <integer>
+> Bytes
+> PDU
+> Entries
+> Referrals
-The total number of operations initiated by slapd since it
-started.
+e.g.
-E: opscompleted: <integer>
+> # Entries, Statistics, Monitor
+> dn: cn=Entries,cn=Statistics,cn=Monitor
+> structuralObjectClass: monitorCounterObject
+> monitorCounter: 612248
+> entryDN: cn=Entries,cn=Statistics,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
-The total number of operations completed by slapd since it
-started.
+H3: Threads
-E: entriessent: <integer>
+It contains the maximum number of threads enabled at startup and the
+current backload.
-The total number of entries sent to clients by slapd since it
-started.
+e.g.
-E: bytessent: <integer>
+> # Max, Threads, Monitor
+> dn: cn=Max,cn=Threads,cn=Monitor
+> structuralObjectClass: monitoredObject
+> monitoredInfo: 16
+> entryDN: cn=Max,cn=Threads,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
-The total number of bytes sent to clients by slapd since it
-started.
-E: currenttime: <UTC time>
+H3: Time
-Slapd's idea of the current time.
+It contains two child entries with the start time and the current time
+of the server.
-E: starttime: <integer>
+e.g.
-The time slapd was started.
+Start time:
-E: nbackends: <integer>
+> dn: cn=Start,cn=Time,cn=Monitor
+> structuralObjectClass: monitoredObject
+> monitorTimestamp: 20061205124040Z
+> entryDN: cn=Start,cn=Time,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
-The number of backends currently being served by slapd.
+Current time:
-E: concurrency: <integer>
+> dn: cn=Current,cn=Time,cn=Monitor
+> structuralObjectClass: monitoredObject
+> monitorTimestamp: 20061207120624Z
+> entryDN: cn=Current,cn=Time,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
-Under Solaris 2.x only, an indication of the current level of
-thread concurrency.
+H3: TLS
-Note that slapd takes a snapshot of this information and
-returns it to you. No attempt is made to ensure that the
-information is consistent (i.e., if an operation thread is
-modifying one of these things when the monitor thread is
-reading it, strange results could be returned).
+Currently empty.
-You should be able to use any LDAP client to retrieve this
-information. Here's how you might do it using the
-{{I: ldapsearch}}(1) client:
+H3: Waiters
+
+It contains the number of current read waiters.
+
+e.g.
+
+Read waiters:
+
+> dn: cn=Read,cn=Waiters,cn=Monitor
+> structuralObjectClass: monitorCounterObject
+> monitorCounter: 7
+> entryDN: cn=Read,cn=Waiters,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+Write waiters:
+
+> dn: cn=Write,cn=Waiters,cn=Monitor
+> structuralObjectClass: monitorCounterObject
+> monitorCounter: 0
+> entryDN: cn=Write,cn=Waiters,cn=Monitor
+> subschemaSubentry: cn=Subschema
+> hasSubordinates: FALSE
+
+Add new monitored things here and discuss, referencing man pages and present
+examples
-E: ldapsearch -s base -b cn=monitor 'objectclass=*'
projects / openldap / blobdiff