Alex Corcoles via FreeIPA-users wrote:
On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <jochen(a)jochen.org
<mailto:jochen@jochen.org>> wrote:
I'm using
https://github.com/peterpakos/checkipaconsistency
<
https://github.com/peterpakos/checkipaconsistency> to monitor
my replicas.
Yeah, but I'm not exactly reassured by choosing on of the many plugins
out there- or running them all. It would be great to push for an
official check.
There are not that many plugins doing this that I know of.
I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.
For a more full-blown view there is
http://cnmonitor.sourceforge.net/
389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monit...
The team has talked about a monitoring script but for now Peter's script
is filling the void.
I'm might be willing to help, but I'd need documentation about what (and
how) to check, but that's basically 90% of the work. I would propose
assimilating the best-looking plugin out there and expanding it every
time sometime reports some broken thing that needs proactive fixing.
Any way we can help this happen?
Right now we had some problems with certificates not/halfway renewing,
so some tool to check LDAP against the different cert-stores might be
helpful.
$ ipa cert-find --validnotafter-to=$(date --date="3 years"
+"%Y-%m-%d")
Actually changing "3 years" to something inferior to the margin FreeIPA
starts renewing certificates should warn you that something is amiss.
Server certs in IPA are good for 2 years.
We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.
rob