eDirectory and SNMP – Down and Dirty



By: coolguys

July 12, 2006 12:00 am

Reads: 148

Comments:0

Rating:0

By Don Lohr

I don’t consider myself an Advanced-SNMP person; maybe an advanced-beginner. Being new to the eDirectory SNMP feature and wanting to monitor LDAP binds and other eDirectory items, I installed the eDirectory SNMP Subagent from the Product CD and began my quest. My research for this feature involved using Novell’s Documentation, Knowledgebase and Discussion forums resources. I started first with this link.

In this article, my SNMP and LDAP server are using a Novell NetWare 6.5 server running Novell eDirectory 8.7.3.x, with a Windows XP workstation.

After I had the eDirectory SNMP Subagent installed and all of the SNMP stuff configured, as I understood it, I began looking for a method to actually get at this new found eDirectory information I wanted. I began reviewing SNMP clients that would run on Windows (I am not Linux-savvy as of yet). Several GUI- based SNMP applications were very helpful in those early days to help me navigate my way through the sys:\ETC\EDIR.MIB file tree. This allowed me the benefit of better understanding and determining the items I really wanted to keep long-term track of.

GUI is pretty and all, but when it really gets down to it, GUI can only get you so far. GUI, step back and make room for (if I can locate one) an SNMP command-line utility. After some looking, especially after reviewing the link above again, I found, downloaded and installed Net-snmp-<someVersion>.win32.exe from SourceForge.net.

Note: Before continuing with this solution, you must have a functioning LDAP service that you can successfully perform an authenticated bind (userID/password) against. There are several methods to test your LDAP service. In the sys:\public\mgmt\ConsoleOne\1.2\bin folder there are some LDAP command-line programs (ldapadd.exe, ldapdelete.exe, ldapmodify.exe, ldapmodrdn.exe and ldapsearch.exe). From a DOS Command Prompt window, form a command using the ldapsearch.exe to generate some simple binds:

ldapsearch -LLL -h NetWareServer -D cn=admin,o=acme -W -Z "(cn=admin)"

Here’s the ldapsearch syntax:

  • -h = The IP or DNS address of your NetWare server running LDAP configured for eDirectory SNMP
  • -D = The userID doing the LDAP bind. Note the fully distinguished name (cn= and o=) and the use of commas not periods in the userID naming context – this is LDAP speak if you are an LDAP beginner. Perform several authenticated binds before continuing to the next section. If not successful, resolve any LDAP issues first.
  • -W = Prompts you for the password
  • -Z = Starts a TLS session so the password is not sent across the wire in cleartext.

The information between the quotes is the item you are searching for.

Using Net-snmp Features

The next phase of this quest involved the use of Net-snmp command-line programs, features, and functions – snmptranslate.exe, snmpwalk.exe, and snmpget.exe. Entering each command with a “/?” will provide you with all of the syntax for each command. This part was maybe the hardest, because I wanted to use ONLY the Net-snmp commands to document how to discover and locate the specific EDIR.MIB components, without the GUI-based SNMP programs I previously used. This is the summary of that “down and dirty” investigation:

1. Download and install the Net-snmp-someVersion.win32.exe program on a WindowsXP pc.

2. Copy the sys:\ETC\EDIR.MIB file to the .\share\snmp\mibs folder of the Net-snmp install.

3. Open the .\share\snmp\mibs\EDIR.MIB in Notepad. You will notice the 7th line contains EDIRECTORY-MIB. The Net-snmp programs (at least the way I understand it) want us to rename the .\share\snmp\mibs\EDIR.MIB file to EDIRECTORY-MIB. If you look in the .\share\snmp\mibs folder, you will notice that the other MIB files can be readily opened with Notepad. That is because they all have a .txt extension, so feel free to add a .txt extension to the .\share\snmp\mibs\EDIRECTORY-MIB file (this just makes it easier to open with Notepad, but is not required for the Net-snmp programs).

How does one read the EDIRECTORY-MIB.txt or any MIB file? For an SNMP-beginner (maybe even a pro) it is very difficult to determine what exactly to pass to any SNMP command-line program like the Net-snmp suite. These programs need specific structured path values to the item(s) of interest. But first, for the possible SNMP-beginners, let’s back up a bit. The EDIRECTORY-MIB.txt file is a Management Information Base (MIB), which specifies the management data of a device subsystem, using a hierarchical namespace containing an object identifier (OID) structure. The MIB hierarchy can be depicted as a tree with a nameless root, the levels of which are assigned by different organizations.

snmptranslate

So how do we use the Net-SNMP suite of programs to map out the EDIRECTORY-MIB.txt file hierarchy to get the specific OID value(s) of the desired items we want to track? Let’s start with snmptranslate.exe, which will map out the OID hierarchy structure. We’ll also write it to a file:

snmptranslate -Ts -m EDIRECTORY-MIB > EDIRECTORY-MIB_OIDs.txt

Here’s the snmptranslate syntax:

  • -Ts = TRANSOPTS option “s” (enable dotted symbolic report)
  • -m = Indicates the name of the MIB to use

1. Open the EDIRECTORY-MIB_OIDs.txt file with Notepad and take a look. For this example, let’s find the OID ending with ndsProtoIfSimpleAuthBinds that is the OID for LDAP binds performed with a userID/password.

Another trick you can do, if you are only after the OIDs with the word bind in them, is to use the DOS find command:

find /I "binds" EDIRECTORY-MIB_OIDs.txt > EDIRECTORY-MIB_OIDs_binds.txt

2. Open the EDIRECTORY-MIB_OIDs_binds.txt file with Notepad and take a look, you will only see the four lines containing the ndsProtoIfUnauthBinds, ndsProtoIfSimpleAuthBinds, ndsProtoIfStrongAuthBinds and ndsProtoIfBindSecurityErrors OIDs.

snmpwalk

I am not fully up on this piece of the OID path, but I know how to find them. Some OID paths have a table instance value, and other OID paths do not. It just so happens that the bind OID’s we separated out above all have table instance values. The next goal is to determine the proper table instance value for these OIDs. Net-SNMP’s snmpwalk.exe command-line program is where we go next (see below for the snmpwalk syntax notes). We will also be using the EDIRECTORY-MIB file, and the ndsProtoIfSimpleAuthBinds line (via copy/paste) from either the EDIRECTORY-MIB_OIDs.txt or the EDIRECTORY-MIB_OIDs_bind.txt file:

snmpwalk -On -c SNMPCommunityName -v 1 -m EDIRECTORY-MIB Agent 
  .iso.org.dod.internet.private.enterprises.
  novell.mibDoc.ndsMIB.ndsStatistics.ndsData.ndsProtocolStatistics.
  ndsProtoIfOpsTable.ndsProtoIfOpsEntry.ndsProtoIfSimpleAuthBinds

You will notice two lines of output from the snmpwalk command (see below) and that the full ndsProtoIfSimpleAuthBinds OID path has been converted into its numerical value (in large/bold text below). You will also see that a .1.1 has been added to the end of the first OID results line, and a .1.2 has been added to the end of the second OID results line. If the LDAP bind testing you performed earlier with the ldapsearch.exe program from the ConsoleOne folder was successful, you will notice that the second ndsProtoIfSimpleAuthBinds line below also has a value greater than 0.

Below are the snmpwalk results:

.1.3.6.1.4.1.23.2.98.1.2.3.1.1.5.1.1 = 0
.1.3.6.1.4.1.23.2.98.1.2.3.1.1.5.1.2 = 15

The .1.2 is the table instance value we are searching for. The OID numerical value is handy as well, because it’s and easier and smaller value to use than the worded OID value.

Here’s the snmpwalk syntax:

  • -OQn = Output options Q and n (quick print with equal-signs and print OIDs numerically)
  • -c = Set the community string. By default, NetWare uses “public” as the community name, so for security reasons you should configure your server to use another name. Follow your organization’s policy for community names; if you have none, research and use best-practice recommendations. Refer to Novell’s Knowledgebase for articles on setting or changing your server’s SNMP community name.
  • -v 1 = SNMP version to use (1, 2 or 3)
  • -m = Name of the MIB to use
  • Agent (server to query) = Your Novell NetWare server running the DSSNMPSA.NLM

snmpget

Finally we are ready to move to the Net-snmp’s snmpget.exe command-line tool:

snmpget -OQ -c SNMPCommunityName -v 1 -m EDIRECTORY-MIB 
Agent 1.3.6.1.4.1.23.2.98.1.2.3.1.1.5.1.2 > SNMP-yourServerName.txt

Here’s the snmpget syntax:

  • -OQ = Output option Q (quick print with equal-signs)
  • -c = Set the community string. By default, NetWare uses “public” as the community name, so for security reasons you should configure your server to use another name. Follow your organization’s policy for community names; if you have none, research and use best-practice recommendations. Refer to Novell’s Knowledgebase for articles on setting or changing your server’s SNMP community name.
  • -v 1 = SNMP version to use (1, 2 or 3)
  • -m = Name of the MIB to use
  • Agent (server to query) = Your Novell NetWare server running the DSSNMPSA.NLM

Below are the snmpget results:

EDIRECTORY-MIB::ndsProtoIfSimpleAuthBinds.1.2 = 15

We’re almost done! Here’s what we know how to do so far:

1. Map out the hierarchy of the EDIRECTORY-MIB and how to find the worded OID values for the items we want to track (using snmptranslate).

2. Find table instance value items (using snmpwalk).

3. Get the individual items we want to track (using snmpget).

Automation and Scripting

Automation is easily accomplished by putting together a script or batch program to run the snmpget string and other data manipulation stuff. The snmpget program supports combining multiple OIDs in one snmpget MIB pass – just separate each of the OID’s with a blank space. In order for the SNMP stats to be gathered on a scheduled interval, look into either the Windows Scheduled Tasks component or a Win32-based cron utility so you can launch the batch file on a specific interval (say, every 5 minutes).

There are many ways to get at the SNMP data with scripting and many ways to manipulate the data getting it into a usable format to meet your needs. I have found that getting the data into a comma-delimited formation best fits my needs and that using batch programming works for me as well. Below is an example of how I got there. We will be going after UnauthBinds and SimpleAuthBinds. You will notice that the batch program uses the following items:

  • Date – to get the current date – write it to a file.
  • Time – to get the current time – write it to a file.
  • SED (Stream Editor) – I am using super-sed version 3.59, based on GNU sed version 3.02.80 that I downloaded from the Internet to do scripted data manipulation.
  • Net-SNMP’s snmpget (to get the OID values)

For the sake of this example, the snmp.bat and sed.exe programs were copied into the Net-snmp .\bin folder, and the output files are written there as well.

Batch Program snmp.bat

@echo off

if not exist ServerName-snmp.csv echo Date,UnauthBinds,SimpleAuthBinds>ServerName-snmp.txt
if exist ServerName-snmp.csv rename ServerName-snmp.csv *.txt
rem Write date to file
date /T>ServerNameWhen.txt
rem Write time to file
time /T>>ServerNameWhen.txt
rem Clean off blank space at ends of lines
sed "s/[ \t]*$//" ServerNameWhen.txt>ServerNameWhenClean.txt
rem Put date and time on one line separated with a space
sed :a;$!N;s/\n/" "/;ta; ServerNameWhenClean.txt>ServerNameStats.txt
rem snmpget - Adding a v to the -OQ switch will only get just the SNMP stat numbers
rem Sorry, the snmpget line wraps and is displayed on two lines.
snmpget -OQv -c SNMPCommunityName -v 1 -m 
  EDIRECTORY-MIB Agent .1.3.6.1.4.1.23.2.98.1.2.3.1.1.4.1.2
  .1.3.6.1.4.1.23.2.98.1.2.3.1.1.5.1.2>>
  ServerNameStats.txt
rem Put date time,stats all on one comma separated line 
sed -e :a;$!N;s/\n/,/;ta; ServerNameStats.txt>ServerNameStatsClean.txt
rem merge the existing file with the stats just obtained
copy ServerName-snmp.txt /B + ServerNameStatsClean.txt /B ServerName-snmp.csv
rem Clean-up working files
echo Y|erase ServerName*.txt

Here are the snmp.bat results after 2 runs, looking in the ServerName-snmp.csv file:

Date,UnauthBinds,SimpleAuthBinds
Sun 07/09/2006 09:04 PM,3,15
Sun 07/09/2006 09:09 PM,8,27

The Final Treat

Have you ever wanted to track your server’s CPU Utilization? Let’s make a few changes to our snmp.bat file (in our example the server has two cpu’s). Caution: some of the lines wrap.

1. Edit the third line by inserting the following text after ,SimpleAuthBinds

,CPU0,CPU1

2. After the original snmpget line (don’t forget – these snmpget lines wrap) add this new line:

snmpget -OQv -c SNMPCommunityName -v 1 -m HOST-RESOURCES-MIB 
  Agent .1.3.6.1.2.1.25.3.3.1.2.1 1.3.6.1.2.1.25.3.3.1.2.2>>ServerNameStats.txt

3. Make sure the SYS:\SYSTEM\NMA\HOSTMIB.NLM is loaded.

I hope you find this information helpful in your eDirectory SNMP quest.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment