LDAP Monitor

The SiteScope LDAP Monitor verifies that a Lightweight Directory Access Protocol (LDAP) server is working correctly by connecting to it and performing a "simple" authentication. Optionally, it can check the result for expected content.

Each time the LDAP Monitor runs, it returns a status based upon the time it takes to perform the connection.

Usage Guidelines

If your LDAP server is not working properly, the user will not be able to access and update information in the directory. Most importantly, the user will not be able to perform any authentication using the LDAP server. The other reason to monitor the LDAP server is so you can find performance bottlenecks -- if your End User and LDAP times are both increasing at about the same amount, the LDAP server is probably the bottleneck. If not, the bottleneck is probably somewhere else.

What to monitor

The most important thing to monitor is the authentication of a specific user on the LDAP server. If more than one LDAP server is used, you will want to monitor each of the servers.

You may also choose to monitor round trip time of the authentication process.

About scheduling this monitor

You may want to monitor your most critical and most common queries as frequently as every 10-15 minutes.

Status

The status is logged as either OK, warning, or error. An error status or warning status is returned if the current value of the monitor is anything other than OK. Errors occur if SiteScope is unable to connect, receives an unknown hostname error, or the IP address does not match the hostname.

Completing the LDAP Monitor Form

To display the LDAP Monitor Form, either click the Edit link for an existing LDAP Monitor in a monitor table, or click the Add a new Monitor to this Group link on a group's detail page and click the Add LDAP Monitor link.

Complete the items on the LDAP Monitor form as follows. When the required items are complete, click the Add Monitor button.

LDAP Service Provider: Enter the constant that holds the name of the environment property for specifying configuration information for the service provider to use. The value of the property should contain a URL string (for example, "ldap://somehost:389"). This property may be specified in the environment, an applet parameter, a system property, or a resource file. If it is not specified in any of these sources, the default configuration is determined by the service provider.
LDAP Security Principal: Enter the constant that holds the name of the environment property for specifying the identity of the principal for authenticating the caller to the service. The format of the principal depends on the authentication scheme. If this property is unspecified, the behaviour is determined by the service provider. This should be of the form (uid=testuser,ou=TEST,o=mydomain.com)
LDAP Security Credential: Enter the constant that holds the name of the environment property for specifying the credentials of the principal for authenticating the caller to the service. The value of the property depends on the authentication scheme. For example, it could be a hashed password, clear-text password, key, certificate, and so on. If this property is unspecified, the behavior is determined by the service provider.
Update every: Select how often the monitor should check the LDAP server. The default interval is to run or update the monitor once every 10 minutes. Use the drop-down list to the right of the text box to specify another update interval in increments of seconds, minutes, hours, or days. The update interval must be 15 seconds or longer.
Title: Enter a title text for this monitor. This text is displayed in the group detail page, in report titles, and other places in the SiteScope interface. If you do not enter a title text, SiteScope will create a title based on the host, server, or URL being monitored.

Advanced Options

The Advanced Options section presents a number of ways to customize monitor behavior and display. Use this section to customize error and warning thresholds, disable the monitor, set monitor-to-monitor dependencies, customize display options, and enter other monitor specific settings required for special infrastructure environments. The options for this monitor type are described below. Complete the entries as needed and click the Add or Update button to save the settings.

Disable

Check this box to temporarily disable this monitor and any associated alerts. To enable the monitor again, clear the box.

Content Match

Enter a string of text to check for in the query result. If the text is not contained in the result, the monitor will display no match on content. The search is case sensitive. This works for XML tags as well. You may also perform a Perl regular expression match by enclosing the string in forward slashes, with an i after the trailing slash indicating case-insensitive matching. (for example, /href=Doc\d+\.html/ or /href=doc\d+\.html/i). If you want a particular piece of text to be saved and displayed as part of the status, use parentheses in a Perl regular expression. For example /Temperature: (\d+). This would return the temperature as it appears on the page and this could be used when setting an Error if or Warning if threshold.

Object Query

Use this box to enter an object query to look at a LDAP object other than the default user dn object. For example, enter the mail object to check for an e-mail address associated with the dn object entered above. You must enter a valid object query in this text box if you are using a LDAP filter (see the description below).

LDAP Filter

Enter an LDAP filter in this text box in order to perform a search using a filter criteria. The LDAP filter syntax is a logical expression in prefix notation meaning that logical operator appears before its arguments. For example, the item sn=Freddie means that the sn attribute must exist with the attribute value equal to Freddie. Multiple items can be included in the filter string by enclosing them in parentheses, such as (sn=Freddie) and combined using logical operators such as the & (the conjunction operator) to create logical expressions. FOr example the filter syntax (& (sn=Freddie) (mail=*)) requests LDAP entries that have both a sn attribute of Freddie and a mail attribute.

More information about LDAP filter syntax can be found at http://www.ietf.org/rfc/rfc2254.txt and also at http://java.sun.com/products/jndi/tutorial/basics/directory/filter.html

Verify Error

Check this box if you want SiteScope to automatically run this monitor again if it detects an error. When an error is detected, the monitor will immediately be scheduled to run again once.

Note: In order to change the run frequency of this monitor when an error is detected, use the Update every (on errors) option below.

Note: The status returned by the Verify Error run of the monitor will replace the status of the originally scheduled run that detected an error. This may cause the loss of important performance data if the data from the verify run is different than the initial error status.

Warning: Use of this option across many monitor instances may result in significant monitoring delays in the case that multiple monitors are rescheduled to verify errors at the same time.

Update Every (on error)

You use this option to set a new monitoring interval for monitors that have registered an error condition. For example, you may want SiteScope to monitor this item every 10 minutes normally, but as often as every 2 minutes if an error has been detected. Note that this increased scheduling will also affect the number of alerts generated by this monitor.

Schedule

By default, SiteScope monitors are enabled every day of the week. You may, however, schedule your monitors to run only on certain days or on a fixed schedule. Click the Edit schedule link to create or edit a monitor schedule. For more information about working with monitor schedules, see the section on Schedule Preferences for Monitoring.

Monitor Description

Enter additional information about this monitor. The Monitor Description can include HTML tags such as the <BR> <HR>, and <B> tags to control display format and style. The description will appear on the Monitor Detail page.

Report Description

Enter an optional description for this monitor that will make it easier to understand what the monitor does. For example, network traffic or main server response time. This description will be displayed on with each bar chart and graph in Management Reports and appended to the tool-tip displayed when you pass the mouse cursor over the status icon for this monitor on the monitor detail page.

Depends On

To make the running of this monitor dependent on the status of another monitor or monitor group, use the drop-down list to select the monitor on which this monitor is dependent. Select None to remove any dependency.

Depends Condition

If you choose to make the running of this monitor dependent on the status of another monitor, select the status condition that the other monitor or monitor group should have in order for the current monitor to run normally. The current monitor will be run normally as long as the monitor on which it depends reports the condition selected in this option.

List Order

By default, new monitors are listed last on the Monitor Detail page. You may use this drop-down list to choose a different placement for this monitor.

Error if

Set the conditions under which the LDAP monitor should report an error status. Enter a comparison value and use the comparison operator list to specify an error threshold such as: >= (greater than or equal to), != (not equal to), or < (less than).

Warning if

Set the conditions under which the LDAP monitor should report a warning status. Enter a comparison value and the comparison operator as for the Error if section above.

Good if

Set the conditions under which the LDAP monitor should report a good (OK) status. Enter a comparison value and the comparison operator as for the Error if section above.