idsmonitor.ksh script for troubleshooting system resource usage

Answer

Download the script from the bottom part of this page and transfer to your AIX/Linux/Solaris system where SDS/TDS is running and keep it in a folder where you have sufficient disk space(to gather monitoring info). Then extract the same and rename the script:

tar -xvf idsmonitor-1.4.0.tar
chmod 755 idsmonitor-1.4.0.ksh
mv idsmonitor-1.4.0.ksh idsmonitor.ksh

Note: With SDS 6.4 idsmonitor script is also provided by the SDS and is available in the following location:

AIX/Solaris: /opt/IBM/ldap/V6.4/support/idsmonitor
Linux: /opt/ibm/ldap/V6.4/support/idsmonitor

Most of the options for the idsmonitor.sh exist in to handle SDS/TDS servers not using default values, or to provide the use more control over the output. In many cases, running the script without options will work:

./idsmonitor.ksh -I <instanceName> &

However, if the SDS/TDS LDAP Server is not running on default ports, if anonymous binds are disabled, or if the server only accepts SSL connections, it will be necessary to use the options below to get the script running correctly.

The options for the idsmonitor.sh script try to mimic the usage of many of the standard ldap client command line options. See the idsmonitor README included in the tar file for more information about the specific options.

To check if there is an updated version of this script, please go here:

http://www.ibm.com/support/docview.wss?uid=swg21282708

Examples:

1. If one desires to write the output to a specific location, run the script like:

./idsmonitor.ksh -I <instanceName> -o idsmonitor.out &

2. If only SSL connections are allowed, use the -Z, -P and -K flags as one would with the standard SDS/TDS client utilities:

./idsmonitor.ksh -I <instanceName> -Z -P secret -K /opt/certs/ldap.kdb &

3. If anonymous binds are disabled, use the -D and -w flags as one would with the standard SDS/TDS client utilities. Note that when passing "?" to the -w flag, the script will prompt the user for the password. In this case, one cannot redirect standard output and standard error when running the script, or else the script will appear to hang indefinitely (it's actually waiting for a value to be entered):

./idsmonitor.ksh -I <instanceName> -D cn=root -w secret -o idsmonitor.out &

4. If the data needs to be sampled more frequently than every 5 minutes (the default), then do:

./idsmonitor.ksh -I <instanceName> -D cn=root -w secret -d 60 -o idsmonitor.out

The unit for the -d argument is in seconds.

5. If no output is desired on standard out, then run the script like this to redirect all output to a debug file:

./idsmonitor.ksh -I <instanceName> -D cn=root -w secret -o idsmonitor.out > idsmonitor.dbg 2>&1 &

However, the script attempts to print errors when running the commands to standard output, so running the script like this might prevent the user from noticing a problem with how they ran the script.

The script will attempt to detect if there isn't a running ibmslapd process.

You can kill this script using standard shell facilities by doing control-c in the shell where it's running, (or if it's in the background, do 'fg' then control-c it), or by doing a kill on the pid.

To check the progress of the script, do:

tail -f /path/to/outputfile

6. Previously, certain versions of the script would automatically run replication status searches if an admin dn and password were passed in to idsmonitor. Starting with version 1.0.6, however, you must explicitly enable this with the -r flag (and pass in the admin and password):

ksh idsmonitor.ksh -I <instanceName> -D cn=root -w secret -p 1389 -r

7. To collect memory-leak debug info on AIX or Linux, pass in the -m flag:

ksh idsmonitor.ksh -I <instanceName> -D cn=root -w secret -p 1389 -m

This uses svmon -P <pid> and pmap <pid>, respectively, on AIX and Linux.

8. To only run a specific number of iterations of data collection (for example, if you want to only collect an hour of monitoring data), use the -l flag:

ksh idsmonitor.ksh -I <instanceName> -D cn=root -w secret -p 1389 -l 12

Since the default cycle is 300 seconds, 12 iterations will collect 60 minutes worth of monitoring data (although you'd typically want to let it run much longer than this).

9. To run this and use a bind dn and password and hide the password from ps output, run the script like this:

ksh idsmonitor.ksh -I <instanceName> -D cn=root -w ? -d 30 -o /tmp/idsmonitor.out

Note: running like this prompts you for the password, so you can't daemonize the script as in step 5, or the script will appear to hang indefinitely. What's it's really doing, of course, is waiting for the password on standard intput, which, since the script was daemonized, there will be no way to enter the password.

In one case in testing this (on AIX 6.1), I had to wrap the question mark in single-quotes to be prompted for the password.

10. To pass in passwords with a character that's meaningful to the shell, wrap the password in single-quotes, eg:

ksh idsmonitor.ksh -I <instanceName> -D cn=root -w 'secret$1234' -o /tmp/idsmonitor.out

Version 1.4.0, modified Apr 24, 2018

Changes in last version:

# Get instance name
# Fixes for one time commands.

Some customers have reported problems downloading the tar file from this technote using Internet Explorer. Sometimes using an alternative browser will work (eg: Firefox, Chrome, epiphany).