Page created: 22 Jul 2020 |
Page updated: 1 Feb 2021
Because all server instances provide information for a common set of MIBs, each server instance provides its information under a unique SNMPv3 context name, equal to the server instance name. The server instance name is defined in the Global Configuration, and is constructed from the host name and the server LDAP port by default. Consequently, information must be requested using SNMPv3, specifying the context name that pertains to the desired server instance. This context name is limited to 30 characters or less. Any context name longer than 30 characters will result in an error message. Since the default context name is limited to 30 characters or less, and defaults to the server instance name and the LDAP port number, pay special attention to the length of the fully-qualified (DNS) host name.
Note: The Directory Proxy Server supports SNMPv3, and only SNMPv3 can access the MIBs. For systems that implement SNMP v1 and v2c, Net-SNMP provides a proxy function to route requests in one version of SNMP to an agent using a different SNMP version.
Enable the Directory Proxy Server’s SNMP plugin by using the
dsconfig tool. Make sure to specify the address and port of the
SNMP master agent. On each Directory Proxy Server instance, enable the SNMP
subagent. Note that the SNMPv3 context name is limited to 30 bytes maximum. If the
default dynamically-constructed instance name is greater than 30 bytes, there will be
an error when attempting to enable the plugin. Enable the SNMP Subagent Alert Handler
so that the sub-agent will send traps for administrative alerts generated by the
$ bin/dsconfig set-alert-handler-prop \ --handler-name "SNMP Subagent Alert Handler" --set enabled:true
View the error log. You will see a message that the master agent is not connected,
because it is not yet online.
The SNMP sub-agent was unable to connect to the master agent at localhost/705: Timeout
Edit the SNMP agent configuration file, snmpd.conf, which is
often located in /etc/snmp/snmpd.conf. Add the directive to run
the agent as an AgentX master agent:
master agentx agentXSocket tcp:localhost:705Note that the use of localhost means that only sub-agents running on the same host can connect to the master agent. This requirement is necessary since there are no security mechanisms in the AgentX protocol.
Add the trap directive to send SNMPv2 traps to localhost with
the community name, public (or whatever SNMP community has been configured for your
environment) and the port.
trap2sink localhost public 162
To create a SNMPv3 user, add the following lines to the
rwuser initial createUser initial MD5 setup_passphrase DES
Run the following command to create the SNMPv3 user.
snmpusm -v3 -u initial -n "" -l authNoPriv -a MD5 -A setup_passphrase \ localhost create snmpuser initial
Start the snmpd daemon and after a few seconds you should see
the following message in the Directory Proxy Server error log:
The SNMP subagent connected successfully to the master agent at localhost:705. The SNMP context name is host.example.com:389
Set up a trap client to see the alerts that are generated by the Directory Proxy Server. Create a config file in
/tmp/snmptrapd.conf and add the directive below to it. The
directive specifies that the trap client can process traps using the public community
string, and can log and trigger executable actions.
authcommunity log, execute public
Install the MIB definitions for the Net-SNMP client tools, usually located in the
$ cp resource/mib/* /usr/share/snmp/mibs
Then, run the trap client using the snmptrapd command. The
following example specifies that the command should not create a new process using
fork() from the calling shell (-f), do not
read any configuration files (-C) except the one specified with the
-c option, print to standard output (-Lo), and
then specify that debugging output should be turned on for the User-based Security
Module (-Dusm). The path after the
-Moption is a directory that contains the MIBs shipped with our product (i.e., server-root/resource/mib) .
$ snmptrapd -f -C -c /tmp/snmptrapd.conf -Lf /root/trap.log -Dusm \ -m all -M +/usr/share/snmp/mibs
Run the Net-SNMP client tools to test the feature. The following options are
required: -v <SNMP version>, -u <user
name>, -A <user password>, -l
<security level>, -n <context name (instance
name)> . The -m all option loads all MIBs in the
default MIB directory in /usr/share/snmp/mibs so that MIB names can
be used in place of numeric OIDs.
$ snmpget -v 3 -u snmpuser -A password -l authNoPriv -n host.example.com:389 \ -m all localhost localDBBackendCount.0 $ snmpwalk -v 3 -u snmpuser -A password -l authNoPriv -n host.example.com:389 \ -m all localhost systemStatus