Add input plugin for OpenLDAP #2612
Conversation
|
Can you add some unit tests? |
…wn function that we can use to mock out a search result in testing
|
Added unit tests. There is a very simple test function that mocks up a SearchRequest and feeds that in, and the integration tests connect to a super simple openldap container. |
plugins/inputs/openldap/README.md
Outdated
| ``` | ||
| $ telegraf -config telegraf.conf -input-filter openldap -test --debug | ||
| * Plugin: inputs.openldap, Collection 1 | ||
| > openldap,port=389,host=localhost,server=localhost abandon_operations_initiated=4,extended_operations_completed=125963,bytes_statistics=595939321,pdu_statistics=17028251,modify_operations_initiated=0,delete_operations_completed=0,compare_operations_completed=0,max_file_descriptors_connections=4096,unbind_operations_completed=7981688,extended_operations_initiated=125963,referrals_statistics=0,modify_operations_completed=0,delete_operations_initiated=0,bind_operations_completed=8115329,search_operations_completed=4385841,add_operations_completed=0,abandon_operations_completed=4,write_waiters=0,bind_operations_initiated=8115329,modrdn_operations_initiated=0,compare_operations_initiated=0,entries_statistics=4401128,read_waiters=1,current_connections=3,search_operations_initiated=4385842,modrdn_operations_completed=0,add_operations_initiated=0,total_connections=8147531,unbind_operations_initiated=7981688 1491189665000000000 |
There was a problem hiding this comment.
Why are all the values being added as floats? None of them look to be floatish (have a decimal in them).
There was a problem hiding this comment.
You're right, the syntax for the monitorCounter attribute specifies a 32-bit integer. I'll go ahead and make that change.
plugins/inputs/openldap/openldap.go
Outdated
| TlsSkipverify bool | ||
| BindDn string | ||
| BindPassword string | ||
| } |
There was a problem hiding this comment.
We should probably support SSL as well (meaning LDAP over SSL on port 636).
There was a problem hiding this comment.
Also, what about providing a path to a custom CA cert, so that users running their own cert aren't forced to use tls_skipverify?
There was a problem hiding this comment.
I didn't implement ldapS because it was never formally standardized, LDAPv3 doesn't specify anything regarding ldaps, only starttls, and go-ldap itself doesn't directly support ldaps.
I'll have to dig into the tls and x509 packages to see about adding a ca cert option.
plugins/inputs/openldap/openldap.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func gatherSearchResult(sr *ldap.SearchResult, o *Openldap, acc telegraf.Accumulator) error { |
There was a problem hiding this comment.
This function has an error in the return signature, but it doesn't ever return an error, nor is the caller checking the error.
plugins/inputs/openldap/openldap.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // Convert a DN to metric name, eg cn=Read,cn=Waiters,cn=Monitor to read_waiters |
There was a problem hiding this comment.
What are your thoughts on reversing this? So that it's waiters_read? LDAP DNs are backwards, in that they go from most specific to least specific. The advantage of reversing this is that it allows grouping when sorted.
Meaning if you have cn=Write,cn=Waiters,..., cn=Read,cn=Waiters,..., cn=Write,cn=foo,..., and cn=Read,cn=foo,..., you end up with foo_read,foo_write,waiters_read,waiters_write instead of read_foo,read_waiters,write_foo,write_waiters.
There was a problem hiding this comment.
I debated having a map of DNs to field names instead. It does bother my OCD just a bit having read_waiters instead of waiters_read, but it also reads a little easier? If other plugins name their fields so they sort more naturally I can change this one to match that pattern.
|
Added a tls_cacertificate option - not sure how best to do the integration test for that. I'm still a bit hesitant to support ldapS, but I will if there is consensus around it. |
|
@cobaugh Do you think the config can be made to look more like some the existing tls options? Here is an example: |
|
Is this a server setting? |
|
Client and server. The documentation I copied was the server side. The client side documentation just says "see server side documentation". |
|
Sounds good, lets just do it like OpenLDAP. |
|
Do we want to do LDAPS on the first release, or just make sure that we would be able to add support in the future without breaking compatibility? |
|
So long as we can add it in the future I think we are good. |
|
Again, sorry to drag this out, but I'm still confused what the consensus is on this. TLS_REQCERT has to do with verifying the server certificate in the client context, and nothing to do with whether we are doing LDAPS or LDAP+StartTLS. Normally LDAPS is requested with a URI of ldaps://, and StartTLS is requested with the -ZZ option. To me, that means having a boolean called 'starttls'. If we want to take this conversation off of this issue to avoid cluttering it up I'm fine with that too. Fwiw, grafana has two booleans for its ldap authentication, use_ssl and start_tls: use_ssl enables ssl, and if start_tls is True, then it does a StartTLS instead of DialTLS. |
|
What happens if the One common issue with using multiple booleans like grafana is that you could specify an invalid state combination, such as setting both start_tls and use_ssl to be true, or they could conflict with the url scheme which I think we will want to match openldap. Don't worry having too much discussion here, this is the right place. Best to sort this out beforehand than get stuck with a config file we don't like. |
|
If TLS_REQCERT is set to demand (the default), and neither -ZZ nor a URI of
ldaps:// is specified, it has no effect. The only way you can request
StartTLS with the cli tools with -Z(Z), and the only way you can request
ldaps is with the ldaps uri. If you specify -ZZ and ldaps://, you get an
error along the lines of "TLS already started".
With grafana setting both se_ssl = true and start_tls = true is how you
specify that you want to do StartTLS. There is no combination of those two
booleans that doesn't make sense. Grafana also doesn't allow one to specify
a connection url, only a hostname or IP. go-ldap also doesn't accept URLs,
so that's something we would need to handle ourselves.
…On Mon, Jun 26, 2017 at 2:50 PM, Daniel Nelson ***@***.***> wrote:
What happens if the TLS_REQCERT option is set to demand, but the -ZZ
option is not given? I think we will want to behave as closely as possible
to the openldap client.
One common issue with using multiple booleans like grafana is that you
could specify an invalid state combination, such as setting both start_tls
and use_ssl to be true, or they could conflict with the url scheme which I
think we will want to match openldap.
Don't worry having too much discussion here, this is the right place. Best
to sort this out beforehand than get stuck with a config file we don't like.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2612 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAG57OaNHscnibq4Kbr_fkNqjWKStyBRks5sH_1ogaJpZM4Mxof9>
.
--
andy
|
|
The problem is that the options are mutually exclusive, since you would never do a tls connection and then issue a start_tls command. So Grafana must be giving more precedence to one of them, I assume One issue with using Also, what about unix sockets, are these commonly used? How do you feel about a single option that holds either ssl/tls or start_tls? |
|
Grafana's options are not mutually exclusive:
https://github.com/grafana/grafana/blob/master/pkg/login/ldap.go#L65
I also don't think we should support URLs unless we're willing to parse any
valid ldap url, like you suggested.
Sockets (ldapi://) are used sometimes in the wild. go-ldap doesn't seem to
support those either.
I'm fine with a single option that takes a string."ssl" or "starttls".
…On Mon, Jun 26, 2017 at 5:27 PM, Daniel Nelson ***@***.***> wrote:
The problem is that the options are mutually exclusive, since you would
never do a tls connection and then issue a start_tls command. So Grafana
must be giving more precedence to one of them, I assume use_ssl.
One issue with using ldap:// urls, if we do this I'm sure people will
want to use all features of this url, and not understand that it is only
meant to be an host + port. ldap://host:port/DN?attributes?scope?filter?
extensions.
Also, what about unix sockets, are these commonly used?
How do you feel about a single option that holds either ssl/tls or
start_tls?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2612 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAG57I7ZA9i6MC1RvIUVPmOTznn4m_0Wks5sICIpgaJpZM4Mxof9>
.
--
andy
|
|
So in Grafana, StartTLS doesn't do anything unless UseSSL is set, this seems a bit unexpected to me... the single option should resolve any confusion around this. |
|
Made ssl option a string, accepting "starttls" or "ldaps". Empty string disables encryption entirely. Any other value is an error. We also support ldapS now. Also synced up with master and switched from HasIntField to HasInt64Field due to #2813 |
|
Can you update the example output now that we are using integers? |
|
Example output and example config updated, as well as a couple of other minor issues fixed. |
|
This has been merged for 1.4, github just doesn't realize it. |
This is a plugin to pull metrics out of cn=Monitor from a local or remote OpenLDAP server.
Required for all PRs: