Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java(TM) System Directory Server 5.2 2005Q1 Deployment Planning Guide 

Chapter 8
Directory Server Monitoring

An effective monitoring and event management strategy is crucial to any successful Directory Server deployment. Such a strategy defines which events should be monitored, which tools to use, and what action to take should an event occur. Having a plan for common-place events helps prevent possible outages and reduced levels of service, improving the availability and quality of service.

A monitoring and event management strategy should include specific components of the architecture such as the replication configuration, but should also include system and network monitoring. This chapter examines what an effective monitoring strategy should include, and presents the monitoring features within Directory Server.


This chapter does not focus on system and network monitoring, as this is an area not specific to Directory Server.

This chapter is divided into the following sections:

Defining a Monitoring and Event Management Strategy

This section provides an outline of the stages involved in defining a monitoring and event management strategy. The process can be broken down into the following steps:

  1. Select the appropriate monitoring tools, whether they be operating system tools, Directory Server monitoring tools, or third party monitoring tools.
  2. Identify the key areas to be monitored in the directory architecture (these are frequently the same as the sizing and tuning attributes).
  3. Define what triggers an event or alarm condition when monitoring the key performance measure. This implies defining an acceptable level of performance or operation for each performance measure.
  4. Determine what action should be taken when an alarm condition occurs.

Directory Server Monitoring Tools

This section provides a summary of the monitoring tools available in Directory Server, and other tools that can be used to monitor Directory Server activity. All of the key performance measures, described in the next section, can be monitored using one, or a combination of, these tools.

Directory Server Monitoring

The most important step in defining a monitoring and event management strategy is determining the key areas to be monitored on one or more components in your directory architecture. What you monitor, and to what extent, will depend largely on the specifics of your deployment.

This section describes the performance measures that should be monitored, and includes the following:

Monitoring Directory Server Activity

Directory Server provides a number of ways in which you can monitor server status. These include, but are not limited to, the following:

Monitoring Database Activity

Monitoring database activity helps to ensure that your database is online and accessible when it is required. Database monitoring information can be accessed by running an ldapsearch command on a specific area of the cn=config branch. The kind of monitoring information provided and the corresponding area of the cn=config branch are presented in Table 8-1.

Table 8-1 Source of Database Monitoring Information in cn=config

Information Area

Corresponding Branch of cn=config

General Database Information

cn=database,cn=monitor,cn=ldbm database,

Database Cache Information

cn=monitor,cn=ldbm database,cn=plugins,cn=config

Specific Database Instance Information

cn=monitor,cn=suffixName,cn=ldbm database,

Chained Suffix Information

cn=monitor,cn=suffixName,cn=chaining database,

The areas of database monitoring information are presented in more detail in the following section.

Monitoring Disk Status

Effectively monitoring disk space enables you to prevent the problems associated with inadequate disk resources. The cn=disk,cn=monitor entry provides access to the following monitoring information:

For more information on the cn=disk,cn=monitor attributes as well as the configurable disk low or full thresholds, refer to "Server Configuration Reference"in the Directory Server Administration Reference.

Monitoring Replication Activity

Monitoring replication status is an essential element of your global monitoring strategy. The earlier you become aware of potential replication problems, the quicker you can resolve those problems and reestablish correct replication operation.

There are three replication monitoring tools which enable you to monitor various aspects of replication functionality. The replication monitoring tools function as LDAP clients and can be used over a standard or secure connection (LDAPS.) The following replication monitoring tools are provided:


The insync tool indicates the state of synchronization (or replication delay) between a master replica and one or more consumer replicas. This replication delay is an indication of how accurate the data is on a consumer, compared to the data on the master.


The entrycmp tool allows you to compare the same entry on two or more different servers. An entry is retrieved from the master replica and the entry's nsuniqueid is used to retrieve the same entry from a given consumer. Entry attributes and values are compared and, if these are identical, the entries are considered to be the same.


The machine on which you are running the insync and entrycmp tools must be able to reach all the specified hosts. If the hosts are unreachable due to a firewall, VPN, or other network setup reasons, you will encounter difficulties using these tools. For the same reason, you should ensure that all the servers are up and running before attempting to use the replication monitoring tools.


The repldisc tool allows you to discover a replication topology. Topology discovery starts with one server and constructs a graph of all known servers within the topology. The repldisc tool then prints an adjacency matrix describing the topology. This replication topology discovery tool is useful for large, complex deployments where it might be difficult to recall the global topology you have deployed.


  • When using the replication monitoring tools, you must use either all symbolic names or all IP addresses when identifying hosts. Using a combination of the two can be problematic.
  • When running the replication monitoring tools over SSL, the server on which you are running the tools must have a copy of all the certificates used by the other servers in the topology.
  • These tools are based on LDAP clients, and as such, will need to authenticate to the server and use a bind DN that has read access to cn=config. For more information about the configuration details of these tools and using the tools with SSL enabled refer to "Monitoring Replication Status" in the Directory Server Administration Guide.

For more information about the replication monitoring tools, see the Directory Server Man Page Reference.

Monitoring Indexing Efficiency

Indexing has a positive impact on read performance and a negative impact on write performance. It is therefore important to monitor indexing efficiency to maintain an appropriate balance between read and write performance. An effective indexing strategy eliminates unnecessary indexes and maintains only those indexes required for client applications.

Indexing efficiency can be monitored in the following ways:

For more information on access log content and connection codes refer to "Access Log Content" and "Common Connection Codes"in the Directory Server Administration Reference. For a complete list of Directory Server configuration attributes, refer to "Server Configuration Reference" in the Directory Server Administration Reference.

Monitoring Security

Monitoring the security of your deployment is vital in maintaining a secure, accessible directory. Suggestions on how to monitor Directory Server with a view to maintaining an acceptable level of security follow:

SNMP Monitoring

SNMP is the standard mechanism for global network control and monitoring. It allows network administrators to centralize network monitoring activities, and can be used to monitor a wide range of devices in real time. This section describes how SNMP can be used to monitor Directory Server operation, and contains the following topics:

About SNMP

SNMP is a protocol used to exchange data about network activity. With SNMP, data travels between a managed device and a network management station (NMS) where users manage the network remotely. A managed device is anything that runs SNMP, such as hosts, routers, and Directory Server. An NMS is usually a powerful workstation running one or more network management applications. A network management application usually displays graphical information about managed devices (which device is up or down, which and how many error messages were received, and so on).

Information is transferred between the NMS and the managed device through the use of two types of agents: the subagent and the master agent. The subagent gathers information about the managed device and passes the information to the master agent. Directory Server has a subagent. The master agent exchanges information between the various subagents and the NMS. The master agent runs on the same host machine as the subagents it talks to.

Multiple subagents can be installed on a host machine. For example, if Directory Server, Application Server, and Messaging Server are all installed on the same host, the subagents for each of these servers communicates with the same master agent. The master agent is installed with Administration Server.

Values for SNMP attributes that can be queried are kept on the managed device and reported to the NMS as necessary. Each attribute or variable is known as a managed object, which is anything the agent can access and send to the NMS. All managed objects are defined in a management information base (MIB), which is a database with a tree-like hierarchy. The top level of the hierarchy contains the most general information about the network. Each branch below is more specific and deals with a separate network area.

SNMP exchanges network information in the form of protocol data units (PDUs). PDUs contain information about variables stored on the managed device. These variables, also known as managed objects, have values and titles that are reported to the NMS as necessary. Communication between an NMS and a managed device takes place in one of two ways:

Directory Server supports NMS-initiated communication, described in the following section.

NMS-Initiated Communication

This is the most common type of communication between an NMS and a managed device. In this type of communication, the NMS either requests information from the managed device or changes the value of a variable stored on the managed device.

The following steps make up an NMS-initiated SNMP session:

  1. The NMS determines which managed devices and objects must be monitored.
  2. The NMS sends a protocol data unit to the managed device's subagent through the master agent. This protocol data unit either requests information from the managed device or tells the subagent to change the values for variables stored on the managed device.
  3. The subagent for the managed device receives the protocol data unit from the master agent.
  4. If the protocol data unit from the NMS is a request for information about variables, the subagent gives information to the master agent and the master agent sends it back to the NMS in the form of another protocol data unit. The NMS then displays the information textually or graphically.
  5. If the protocol data unit from the NMS requests that the subagent set variable values, the subagent sets these values.

SNMP Monitoring in Directory Server

Directory Server supports SNMP monitoring in two ways:

Figure 8-1 shows the two ways in which SNMP monitoring information can be retrieved from Directory Server.

Figure 8-1 SNMP Monitoring in Directory Server

How SNMP monitoring information is retrieved from Directory Server, showing the ldapsearch command and the SNMP Agent

For information on where the MIBs are defined, and how to use SNMP refer to "Monitoring Directory Server Using SNMP"in the Directory Server Administration Guide.

The SNMP managed objects supported by Directory Server are based on an early draft of the Directory Server Monitoring MIB RFC 2605. The SNMP operations managed objects returned by the SNMP agent are the same as the SNMP monitoring attributes returned by an ldapsearch command. These attributes are described in "Monitoring Attributes,"in the Directory Server Administration Reference. Names of attributes returned by the SNMP agent are prefixed with ds.

In addition to the operations managed objects, Directory Server supports managed objects related to the interactions between the monitored server and its peer servers, and entity related managed objects, containing information about the current server installation. These objects are described in the "Interactions Table of Supported SNMP Managed Objects"and the "Entity Table of SNMP Supported Managed Objects" in the Directory Server Administration Reference.

Previous      Contents      Index      Next     

Copyright 2005 Sun Microsystems, Inc. All rights reserved.