ldap_response
Nimsoft LDAP response watcher

This probe monitors a set of LDAP servers by regularly querying them with a predefined lookup call. Alarm messages can be generated on response time and number of found records. Quality of service messages can be sent on the same parameters.


Notes:

  • Windows:

    GSSAPI authentication on Windows requires that the computer running the LDAP Response probe is in a Windows Domain. You will specify a domain user you want the probe to impersonate, in order for the probe to test GSSAPI (Kerberos) authentication against an LDAP server. 

  • Linux:

    On Linux, you will have set up a Kerberos client configuration, e.g. /etc/krb5.conf.
    The probe will then need to know the principal name, a password for this principal and optionally which realm to use. If no realm is specified, default realm in the client configuration files will be used. The probe will try to aquire a TGT (Ticket-Granting ticket) for the principal, and then get a service ticket for the LDAP server. Tickets will be destroyed after each search by default. You can choose to keep the tickets in the credential cache until next GSSAPI-enabled profile is being run. At present, tickets will not be used again.
    Probe is also programmed to destroy the ticket cache when it stops.
    The probe will store the tickets temporarily in the users default credential cache (the user that the ldap_response process is running as). If you want to use a different credential cache, then you will have to use the robot to run the ldap_response as a different user with either ksu or su. 

It has been tested with Microsoft ® Active Directory ® and Novell ® eDirectory (tm) 8.8 SP1 (20114.57) and a Novell ® KDC (Key Distribution Center) server.

Probe is compiled and linked with the Kerberos implementation from MIT ® and Novell ® LDAP libraries for C.
Revision history
Date Description State Version
23.09.2022

What's New:

  • Supports TLS 1.2 and upgraded Vs 2017 and third-party libs (openssl and OpenLDAP). Supports SIMPLE Bind authentication only.
    Note: This version does not support Kerberos authentication.

This is Control Release.

SHA-256 Checksum: 39445f26edcb10fc0d13aba293d833bb6e32892a88ce5ef434250d33743a2c1c 		CR 1.45
08.10.2013 Fix for a log rotate issue GA 1.35
26.06.2013 Added Probe Defaults 1.34
22.06.2012 Fixed SOC Defect. 1.33
30.12.2011 Support added for SOC. 1.32
31.03.2011 Fixed variable problem on alarm clear.
Fixed password problem on interactive test.
1.31
20.12.2010 Added support for internationalization.
Added support for reading alarm tokens from cfg.
1.30
30.06.2010 Made changes to libraries with respect to configuration locking.
1.21
18.03.2010 Added NIS (TNT2) support. 1.20
30.09.2009 Fixed default message level was not set for the alarms. 1.12
30.08.2007 Replaced OpenLDAP with LDAP libraries for C.
Feature: *Added support for GSSAPI (Kerberos) authentication. See note below.
Feature: Added a "Query root DSE" button in GUI to query the LDAP server for supported SASL mechanisms and naming contexts.
Feature: Added support for Secure LDAP (ldap over SSL). If you wish to use SSL, you will have to import/upload the trusted root CA certificate that has created the ldap server certificate to the probe, via the GUI.
Feature: Added support to override source field when an alarm threshold is breached.
Feature: Added support to override default port.
Feature: Added support to specify search scope.
Feature: Added support for "Test query" button in GUI to crypt password before sending it to probe. The callback in the probe itself still supports uncrypted passwords, for backward compability or if you wish to execute a test via PU (probe utility).
Feature: Added support to override default timeout for ldap operations.
Optimized: You can set log size limit from GUI.
Added support for Linux. Note: Requires at minimum glibc-2.3.3, openldap2-2.2.6, cyrus-sasl-2.1.6 and openssl-0.9.7 Fix: You can choose wether a search should be considered an error, even if it returns records. For example, if you perform a query that returns more than 1000 records, a "Size limit exceeded" limit could be issued by the LDAP server. Previous versions of the probe did not pick up this "error". A checkbox has been added to the GUI, to allow backward compability.
Fix: Changing alarm severity level didn't activate the 'Apply' button.
Fix: Alarm messages were not being cleared between restarts of the probe.
Fix: QoS Message for number of records found reported 0 even if an search error occured. This has been fixed so it reports NULL if a search failed.
Fix: Minor cosmetics in the watcher dialogue.		 1.11
28.03.2004 Added support for simple authentication. 1.08
Requirements
Platform: Please refer to the Platform Support Matrix located in the Download section of http://support.nimsoft.com
Software: None
Hardware: None