This chapter describes Oracle Internet Directory Manageability framework, which enables you to monitor Oracle Internet Directory. For information on monitoring other Oracle Fusion Middleware components, see the Monitoring Oracle Fusion Middleware chapter in the Oracle Fusion Middleware Administrator's Guide.
Section 24.1, "Introduction to Monitoring Oracle Internet Directory Server"
Section 24.2, "Setting Up Statistics Collection by Using Fusion Middleware Control"
Section 24.3, "Viewing Statistics Information with Fusion Middleware Control"
Section 24.4, "Viewing Statistics Information from the Oracle Directory Services Manager Home Page"
Section 24.5, "Setting Up Statistics Collection by Using the Command-Line"
This introduction contains the following topics:
Section 24.1.1, "Capabilities of Oracle Internet Directory Server Manageability"
Section 24.1.2, "Oracle Internet Directory Server Manageability Architecture and Components"
Section 24.1.3, "Purging of Security Events and Statistics Entries"
Section 24.1.4, "Account Used for Accessing Server Manageability Information"
The Oracle Internet Directory Server Manageability framework enables you to monitor the following directory server statistics:
Server health statistics about LDAP request queues, percent CPU usage, memory, LDAP sessions, and database sessions. For example, you can view the number of active database sessions over a period. You can also view the total number of connections opened to Oracle Internet Directory server instances over a period.
Performance statistics. Average latency in millisecond is provided for bind, compare, messaging search, and all search operations over a period.
General statistics about specific server operations, such as add, modify, or delete. For example, you can view the number of directory server operations over a period. You can also view the failed bind operation count.
User statistics comprising successful and failed operations to the directory and the user performing each one. All LDAP operations are tracked for configured users. Also, the connections held by users at the ends of the statistics collection period are tracked.
Critical events related to system resources and security—for example, occasions when a user provided the wrong password or had inadequate access rights to perform an operation. Other critical events include ORA errors other than expected errors including 1, 100 or 1403 and abnormal termination of the LDAP server.
Security events tracking of users' successful and unsuccessful bind and userpassword compare operations.
Because bind and user password compare are among the most security sensitive operations, an exclusive category security event is used to track these two operations. This event tracks the number of these operations performed by LDAP users and applications. The basic information recorded is user DN and source IP address. For failed user password compare, additional information is tracked, specifically, the number of failed compares of one user's password by another user from a given IP address.
Status information of the directory server and the directory replication server—for example, the date and time at which the directory replication server was invoked
The relationship between the various components of directory server manageability is explained in Figure 24-1 and the accompanying text in Table 24-1.
Table 24-1 Components of Oracle Internet Directory Server Manageability
Component | Description |
---|---|
Oracle Internet Directory |
A directory server responds to directory requests from clients. It has four kinds of functional threads: controller, worker, dispatcher, and listener. It accepts LDAP requests from clients, processes them, and sends the LDAP response back to the clients. When you use the Oracle Internet Directory Server Manageability framework to set run-time monitoring, the four functional threads of the server record the specified information and store it in local memory. See Also: Section 3.1.2, "An Oracle Directory Server Instance" for a description of the directory server |
Memory Resident Storage |
This is a local process memory. The Oracle Internet DirectoryServer Manageability framework assigns one each for statistics, tracing, and security events. Each has its own separate data structure maintained in the local memory storage. |
Low Priority Write Threads |
These dedicated write threads differ from server functional threads in that they write server statistics, security events logging, and tracing information to the repository. To maintain reduced system overhead, their priorities are kept low. |
External Monitoring Application |
This module, which is proprietary and external to the server manageability framework, collects the gathered statistics through a standard LDAP interface with the directory server and stores it in its own repository. |
External Repository for Server Management Information |
This is the repository that the monitoring agent uses to store the gathered directory server statistics. The monitoring agent determines how this repository is implemented. |
extracts monitored data from the statistics and events repository, presenting it in a Web-based graphical user interface. Users can view the data in a normal browser. A repository can store the collected data for generic and custom queries. |
|
Logging Repository (File System) |
This repository uses a file system to store information traced across various modules of the directory server. By using a file system for this purpose, the Oracle Internet Directory Server Manageability framework uses the features and security of the operating system. |
Directory Data Repository |
This repository contains all user-entered data—for example, user and group entries. |
Statistics and Events Repository |
This repository is like the tracing repository except that it stores the information in the same database as the directory data repository rather than in a file system. In this way, the Oracle Internet Directory Server Manageability framework uses:
The directory manageability framework isolates the gathered information from the directory data by storing the two separately. |
Obsolete statistics entries are removed from Oracle Internet Directory by the Oracle Internet Directory purge tool, described in Chapter 35, "Managing Garbage Collection".
The Oracle Internet Directory database account ODSSM
is used to access server manageability information from the database. During installation, this account's password is set to a value provided by the user at a prompt. The credentials for this account, including the password, are stored in the Oracle Internet Directory snippet in the Oracle Enterprise Manager Fusion Middleware Control file targets.xml
.
The only way you can change this account's password is to use the procedure documented in Section 12.11, "Changing the Password for the ODSSM Administrator Account." There is no support in the oidpasswd
tool for changing this password.
This section contains the following topics:
To configure statistics collection from Oracle Enterprise Manager Fusion Middleware Control, follow these steps:
Select Administration, then Server Properties from the Oracle Internet Directory menu, then select Statistics.
In the General section of the page, select Stats Flag to enable statistics collection.
Specify the number of minutes in the Stats Frequency field to control the frequency of statistics collection.
Select values from the Bind Security Event Tracking and Compare Security Event Tracking lists.
To collect statistics about users, select User Statistics Collection in the User Statistics section of the page.
In the Event Levels section of the page, select the events you want to track.
Table 24-2 Configuration Attributes on Server Properties Page, Statistics Tab
Field or Heading | Configuration Attribute |
---|---|
Stats Flag |
|
Stats Frequency (min) |
|
Bind Security Event Tracking and Compare Security Event Tracking |
|
User Statistics |
|
Event Levels |
|
Notes:
After you enable User Statistics collection, you also must specify individual users for statistics collection. See Section 24.2.2, "Configuring a User for Statistics Collection by Using Fusion Middleware Control."
If you do not select SuperUser Login as an event level, the corresponding Security values on the Oracle Internet Directory home page is always 0.
In 11g Release 1 (11.1.1), consecutive settings of orcldebugflag
and of orcloptracklevel
are additive.
Note:
If you have configured orclldapconntimeout
so that idle LDAP connections are closed after a period of time, as described in the Oracle Internet Directory chapter of Oracle Fusion Middleware Performance and Tuning Guide, be aware that connections do not time out as per this setting for users who are configured for statistics collection.
To configure a user so that Server Manageability collects statistics for that user:
From the Oracle Internet Directory menu, select Administration, then Shared Properties.
Select the General tab.
Add the user's distinguished name to User DN. (This adds the user's DN to the attribute orclstatsdn
.) For example:
cn=Mary Lee, ou=Product Testing, c=uscn=Michael Smith, ou=Product Testing, c=uscn=Raj Sharma, ou=Human Resources, c=us
You can use Oracle Enterprise Manager Fusion Middleware Control to view many of the features of Oracle Internet Directory Server Manageability, as explained in this section.
See Also:
Section 42.2.10, "Viewing Queue Statistics by Using Fusion Middleware Control" for information on replication queue statistics.
The Oracle Internet Directory Home Page displays the following information:
Performance
Average Operation Response Time(ms)
Messaging Search Response Time(ms)
Bind Response Time(ms)
Load
Total LDAP Connections
Operations Completed
Operations in progress
Security
Failed Bind Operations
Failed SuperUser Logins
Successful SuperUser Logins
Resource Usage
CPU Utilization %
Memory Utilization %
Average Response and Load
LDAPserverResponse
numCompletedOps
Click Table View if you want to see values in tabular form.
In the Security section of the page, the values for Failed Bind Operations, Failed SuperUser Logins, and Successful SuperUser Logins are 0 if you have not enabled collection of these metrics. See Section 24.2, "Setting Up Statistics Collection by Using Fusion Middleware Control" for more information.
From the Oracle Internet Directory menu, select Monitoring, then Performance Summary. The following metrics are shown by default:
Server Response
Total Operations
Messaging Search Operation Response Time
Bind Operation Response Time
Compare Operation Response Time
Total Number of Security Events Objects in Purge Queue
Total Number of Security Refresh Events Objects in Purge Queue
Total Number of System Resource Events Objects in Purge Queue
To display other metrics, expand the Metrics Palette by clicking the arrow on the right edge of the window. You can collapse the Metrics Palette by clicking the arrow on the left edge of the window.
The default time interval is 15 minutes. To change the time interval, click Slider, then use the sliders to set the time interval. You can also click the Date and Time icon, set the start and end date and time on the Enter Date and Time dialog, then click OK.
Click the Refresh icon to refresh the page.
The View list enables you to view and save charts.
The Overlay list enables you to overlay the metrics for a different Oracle Internet Directory target.
Notes:
For non-critical events, there is a time lag of several minutes, up to orclstatsperiodicity
, before the corresponding metric is updated.
You must click the Refresh icon to see updated metrics.
The Oracle Directory Services Manager home page for Oracle Internet Directory lists the following information:
This section contains the following topics:
Section 24.5.1, "Configuring Health, General, and Performance Statistics Attributes"
Section 24.5.3, "Configuring User Statistics Collection from the Command Line"
You can use ldapmodify
and ldapsearch
to set and view statistics collection-related configuration attributes. These attributes are in the instance-specific configuration entry, as described in Chapter 9, "Managing System Configuration Attributes."
To enable the collection of health, general, and performance statistics, set the orclStatsFlag
and orclStatsPeriodicity
attributes.
For example, to enable the Oracle Internet Directory Server Manageability framework for the component oid1
, you create an LDIF file that looks like this:
dn:cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclstatsflag orclstatsflag:1
To upload this file, enter the following command:
ldapmodify -h host -p port_number -D bind_DN -q -f file_name
where the bind DN authorized to perform server manageability configuration is cn=emd admin,cn=oracle internet directory
.
To configure security events tracking, set the attribute orcloptracklevel
. This attribute is located in the instance-specific configuration entry, as described in Chapter 9, "Managing System Configuration Attributes." Table 24-3 lists the values of orcloptracklevel
to configure different levels of bind and compare information collection:
Table 24-3 Values of orcloptracklevel
orcloptracklevel value | Configuration |
---|---|
|
Bind DN only |
|
Bind DN and IP address |
|
Compare DN only |
|
Compare DN and IP address |
|
Compare DN, IP address and failure details |
The metrics recorded by each orcloptracklevel
value are listed in the following table:
Table 24-4 Metrics Recorded by Each orcloptracklevel Value
Configuration | Metrics Recorded |
---|---|
DN only |
Date and time stamp EID of DN performing the operation Success counts Failure counts |
DN and IP address |
All metrics listed under DN only Source IP Address |
DN, IP address and failure details |
All metrics listed under DN and IP address Distinct success counts Distinct failure counts Failure details for each DN performing password compare from an IP Address:
|
The attributes orcloptrackmaxtotalsize
and orcloptracknumelemcontainers
enable you to tune memory used for tracking statistics and events. See the Oracle Internet Directory chapter in Oracle Fusion Middleware Performance and Tuning Guide.
To enable user statistics, set the orclstatslevel
attribute to 1. The orclStatsPeriodicity attribute must also be set for user statistics collection to occur.
Note:
When you are collecting statistics for Oracle Enterprise Manager Fusion Middleware Control, set orclStatsPeriodicity to be the same as the collection periodicity of the Enterprise Manager agent, which is 10 minutes by default.
To configure users for statistics collection, see Section 24.5.5, "Configuring a User for Statistics Collection by Using the Command Line."
The orclstatsflag
attribute must be set to 1
for event level tracking to occur.
To configure event levels, use ldapmodify to set the orcleventlevel
attribute to one or more of the event levels listed in Table 24-5. The attribute orcleventlevel
is in the instance-specific configuration entry, as described in Chapter 9, "Managing System Configuration Attributes."
Level Value | Critical Event | Information It Provides |
---|---|---|
|
SuperUser login |
Super uses bind (successes or failures) |
|
Proxy user login |
Proxy user bind (failures) |
|
Replication login |
Replication bind (failures) |
8 |
Add access |
Add access violation |
|
Delete access |
Delete access violation |
|
Write access |
Write access violation |
|
ORA 3113 error |
Loss of connection to database |
|
ORA 3114 error |
Loss of connection to database |
|
ORA 28 error |
ORA-28 Error |
|
ORA error |
ORA errors other an expected 1, 100, or 1403 |
|
Oracle Internet Directory server termination count |
|
|
All critical events |
Note:
If you have configured orclldapconntimeout
so that idle LDAP connections are closed after a period of time, as described in the Oracle Internet Directory chapter of Oracle Fusion Middleware Performance and Tuning Guide, be aware that connections do not time out as per this setting for users who are configured for statistics collection.
To configure a user by using the command line, add the user's DN to the DSA Configset entry's multivalued attribute orclstatsdn
(DN: cn=dsaconfig,cn=configsets,cn=oracle internet directory) by using the ldapmodify
command line tool. For example, this LDIF file adds Mary Lee to orclstatsdn
:
dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory
changetype:modify
add: orclstatsdn
orclstatsdn: cn=Mary Lee, ou=Product Testing, c=us
Use a command line such as:
ldapmodify -h host -p port -f ldifFile -D cn=orcladmin -q
Reports for all the statistics can be viewed using the oiddiag
tool, as follows:
oiddiag audit_report=true [outfile=file_name]
oiddiag collect_all=true, [outfile=file_name]
Subset of Statistics and Events
oiddiag collect_sub=true [infile=input_file_name, outfile=file_name ]
where input_file_name
is created by taking the output from
oiddiag listdiags=true
and removing unwanted statistics classes.
Note:
On Windows, the filename of the oiddiag
command is oiddiag.bat.
See Also:
The oiddiag
command tool reference in Oracle Fusion Middleware Reference for Oracle Identity Management.
The chapter about administration tools in the Oracle Fusion Middleware Administrator's Guide