Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <
jochen@jochen.org> <mailto:
jochen@jochen.org>> wrote:
>
> I'm using
https://github.com/peterpakos/checkipaconsistency> <
https://github.com/peterpakos/checkipaconsistency> to monitor
> my replicas.
>
>
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.
There are not that many plugins doing this that I know of.
I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.
For a more full-blown view there is
http://cnmonitor.sourceforge.net/389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.htmlThe team has talked about a monitoring script but for now Peter's script
is filling the void.
>
> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
>
> Any way we can help this happen?
>
> Right now we had some problems with certificates not/halfway renewing,
> so some tool to check LDAP against the different cert-stores might be
> helpful.
>
>
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
>
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.
Server certs in IPA are good for 2 years.
We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.