Hi List, 

I use ipa_check_consistency as one of my Nagios monitors. It runs every 5 minutes on each ipa server. For example: 

[root@ipa0 ~]# /usr/local/sbin/ipa_check_consistency -d example.com -H ipa0

Directory Manager password: 

FreeIPA servers:    ipa0    STATE

=================================

Active Users        1422    OK   

Stage Users         0       OK   

Preserved Users     10      OK   

User Groups         75      OK   

Hosts               848     CRITICAL   

Host Groups         39      OK   

HBAC Rules          593     OK   

SUDO Rules          8       OK   

DNS Zones           16      OK   

Certificates        244     OK   

LDAP Conflicts      NO      OK   

Ghost Replicas      NO      OK   

Anonymous BIND      YES     OK   

Replication Status  ipa2 0  OK   

                    ipa1 0     

                    ipa3 0     

                    ipa5 0     

=================================

[root@ipa0 ~]#


All ipa servers report OK for all components but there is one ipa server which alerts CRITICAL everyday multiple times. The inconsistency alers are in different components, for example, "Hosts", "Active Users", and so on, however, it never alerts for "Replication Status" and "LDAP Conflicts". This is also the only ipa server within the domain which I see "Timed out" like the following in its /var/log/dirsrv/slapd-EXAMPLE-COM/errors log: 

[14/Sep/2021:06:55:40.694662470 -0700] - ERR - slapd_poll - (429) - Timed out

[14/Sep/2021:16:08:45.441598637 -0700] - ERR - slapd_poll - (1211) - Timed out

[14/Sep/2021:16:08:55.452150573 -0700] - ERR - slapd_poll - (1211) - Timed out

[14/Sep/2021:16:09:05.460069764 -0700] - ERR - slapd_poll - (1211) - Timed out


However, the timestamps of the above may not match when ipa_check_consistency alerts. 

This ipa server's OS is Centos 7-8.2003.0 and IPA version is 4.6.8, API: 2.237. 

[root@ipa0 ~]# rpm -qa 389\*

389-ds-base-snmp-1.3.10.1-14.el7_8.x86_64

389-ds-base-libs-1.3.10.1-14.el7_8.x86_64

389-ds-base-1.3.10.1-14.el7_8.x86_64

[root@ipa0 ~]# rpm -qa slapi\*

slapi-nis-0.56.0-13.el7.x86_64

[root@ipa0 ~]# 


This may not be the same issue or connected. However, I feel that something in its configuration is not correct with this ipa server but do not know what. Since I have other ipa servers which have the same OS, ipa version and so on but do not exhibit this behavior. Does anyone have any ideas for troubleshooting? 

Thanks!

Kathy.