Sam Morris via FreeIPA-users wrote: > On 21/11/2022 17:10, Tania Hagan via FreeIPA-users wrote: >> I have a prometheus server and I am trying to setup an alert to test >> if an ldap search succeeds. Searching there seems to be a few >> exporters (389ds exporter, openldap exporter ) but all rather old and >> I'm struggling to get any useful metrics out of them. >> >> Could anyone recommend a good way to achieve this (preferably not >> putting a password a text file), afraid I've had a good search, but >> struggling to find a good way to do this. > > Is what you're trying to test covered by one of the tests within > ipa-healthcheck? If so then process its output into a file that you > ingest via the textfile collector of the node exporter. > > If not then if you've only got a few 'smoke test' type queries & you > simply, want to test whether they work, one way is to create a script > using e.g., ldapsearch and use SASL EXTERNAL authentication; run this on > a schedule and again have it produce files ingested via the textfile > collector. > > # ldapwhoami -Y EXTERNAL -H ldapi://%2frun%2fslapd-IPA-EXAMPLE-COM.socket > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn: cn=Directory Manager > > EXTERNAL authentication, in conjunction with ldapi authenticates the > client based on the uid/gid of the client process, so you don't need to > deal with any users/passwords.
ipa-healthcheck has a Prometheus option but it only does a few things. It ensures the services are up but it doesn't do a direct LDAP query to be sure the server is answering. But I agree with your proposal. Using the ldapi socket on the IPA server as root will bind password-less as Directory Manager so any simple query will work. An alternative would be search for the available namingContexts which can be anonymous: ldapsearch -LLL -x -b "" -s base -H ldap://yourserver rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
