My cn=monitor config

Following is a short config.xml file for CN=Monitor that I use to keep track of a few important directories.

I currently run version 3.2.1-1 of the software, configured to log to a MySQL server backend as detailed in the documentation. On my Red Hat systems installation was by rpm to insure consistency and maintainability.

Note: The latest version of cnmonitor is incompatible with the php-snmp module for RHEL 6+ (including Fedora 19+). This is because cnmonitor contains its own implementation of SNMP for php, leading to a “PHP Fatal error: Cannot redeclare class Snmp in /usr/share/cnmonitor/www/objects/snmpobject.php on line 29” error on execution (line 29 begins the Snmp class declaration). Unless you really need php-snmp for something else (like cacti) this shouldn’t be a problem.

For an rpm install the main configuration file is found at /etc/cnmonitor/config.xml.

<?xml version="1.0" encoding="UTF-8"?>
<cnmonitor>
  <general>
    <language>en</language>
    <database>
      <username>cnmonitor</username>
      <password>xxxxxxxx</password>
      <host>localhost</host>
      <database>cnmonitor</database>
      <type>mysql</type>
    </database>
    <environment>
      <wwwaddress>http://ldapmanager.example.com/cnmonitor</wwwaddress>
      <mailfrom>ldapmanager@example.com</mailfrom>
      <mailto>ldapmanager@example.com</mailto>
    </environment>
  </general>
  <environment>
    <name>Production Enterprise DS</name>
    <loadbalancer>eldap.example.com</loadbalancer>
    <server>
      <name>eldap1.example.com</name>
      <dn>cn=directory manager</dn>
      <encpassword>hCl/wMcFj6gboIOgFr4rLw==</encpassword>
      <tls>on</tls>
    </server>
    <server>
      <name>eldap2.example.com</name>
      <port>1389</port>
      <secureport>1636</secureport>
      <dn>cn=directory manager</dn>
      <encpassword>hCl/wMcFj6gboIOgFr4rLw==</encpassword>
      <tls>on</tls>
    </server>
  </environment>
  <environment>
    <name>Quality Enterprise DS</name>
    <server>
      <name>qeldap1.example.com</name>
      <port>1389</port>
      <secureport>1636</secureport>
      <dn>cn=directory manager</dn>
      <encpassword>hCl/wMcFj6gboIOgFr4rLw==</encpassword>
      <tls>on</tls>
    </server>
  </environment>
  <environment>
    <name>Development Enterprise DS</name>
    <server>
      <name>deldap1.example.com</name>
      <port>1389</port>
      <secureport>1636</secureport>
    </server>
  </environment>
  <environment>
    <name>Exp Production Directory</name>
    <vendor>opends</vendor>
    <server>
      <name>pexpdir.example.com</name>
      <port>1389</port>
      <secureport>636</secureport>
      <dn>cn=directory manager</dn>
      <encpassword>hCl/wMcFj6gboIOgFr4rLw==</encpassword>
      <tls>on</tls>
    </server>
  </environment>
  <environment>
    <name>Exp Development Directory</name>
    <vendor>opends</vendor>
    <server>
      <name>dexpdir.example.com</name>
      <dn>cn=admin,ou=special users,dc=example,dc=com</dn>
      <encpassword>hCl/wMcFj6gboIOgFr4rLw==</encpassword>
      <scheme>ldaps</scheme>
    </server>
  </environment>
</cnmonitor>

I like this as an example because it shows a couple of useful methods that most admins will be interested in.

First, of course, would be the very simple configuration for logging to a MySQL database. I think this is one of the truly great features of the software because it lets me track directory performance over time.

Second, my production enterprise environment is load-balanced by a hardware device and the configuration takes advantage of the separate method for displaying and tracking how well load balancing is actually working.

Finally, access to my newer, experimental directories based on OpenDJ is restricted to a nonstandard port for LDAP (1389) and the standard LDAPS (636) port (in reality my monitoring station doesn’t get a pass from the directory server firewall for LDAP, so the non-secure and secure ports are both set to 636, see this post on how to do that).

All examples show how you’d configure to securely bind to the directory with an administrative account that can read the “cn=monitor” tree (password in config file has been encrypted by the included encryptpassword.php script).

Note that when setting up the MySQL database backend you need to pay careful attention to the instructions. A couple of tips:

1. The shipping mysql.sql resource file assumed that you will be creating the database by loading it, rather than manually. Unless you feel comfortable modifying the file, I’d recommend you go with the flow. Once the database is created via a

mysql -u root -p < mysql.sql

you can go back and create the requisite cnmonitor database user and assign all privileges over the new database to it.

2. Don’t forget to initialize the database by running the collectdb.php, collectservermessage.php and collectsummary.php scripts, and then to add these to the root user’s crontab. Here’s my root crontab for the box where the monitor runs:

*/30 * * * * /usr/bin/php /usr/share/cnmonitor/bin/collectdb.php > /dev/null 2>&1
*/10 * * * * /usr/bin/php /usr/share/cnmonitor/bin/collectservermessage.php > /dev/null 2>&1
0 4 * * * /usr/bin/php /usr/share/cnmonitor/bin/collectsummary.php > /dev/null 2>&1

Again, the paths indicated are what get set up by an rpm install on Red Hat systems.

3. I usually use a different path for MySQL data files that the /var/lib/mysql default on Red Hat. Mostly it is /data/app/mysql/var, but you can choose whatever works in your environment. The point is that on my systems /data is a separate volume, usually on our enteprise SAN (Storage Area Network) that is separately backed up to ensure preservation of the data (my OpenDJ installs also wind up in /data/app/opendj for the same reason). Even if you do this be sure to include /etc/my.cnf and /etc/cnmonitor in any backup regimen to make sure you can restore the configuration (I don’t expect everyone to keep key separate copies of config files in source control the way I do — although I think it’s a good idea).

This entry was posted in Directory, Identity Management, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).