Hello Again Alexander,
Do you know what permissions are needed to allow a particular user to be
used as the bind-dn for that script?
I tried using these two LDIFs but got a different result than if I used my
directory admin user (which I don't want to use in a zabbix script for
obvious security reasons):
dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";)
dn: cn="o=ipaca",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";)
./ipa_check_consistency -H "ns01 ns02" -d
dev.example.net -D
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password:
(above command gives incorrect output) =
FreeIPA servers: ns01 ns02 STATE
=========================================
Active Users OK
Stage Users OK
Preserved Users OK
User Groups 67 67 OK
Hosts OK
Host Groups OK
HBAC Rules 16 16 OK
SUDO Rules 11 11 OK
DNS Zones 0 0 OK
Certificates 0 0 OK
LDAP Conflicts NO NO OK
Ghost Replicas ERROR ERROR FAIL
Anonymous BIND OK
Microsoft ADTrust YES YES OK
Replication Status ns02 0 ns01 0
=========================================
(correct output if directory admin is used) =
FreeIPA servers: ns01 ns02 STATE
=========================================
Active Users 192 192 OK
Stage Users 0 0 OK
Preserved Users 0 0 OK
User Groups 67 67 OK
Hosts 45 45 OK
Host Groups 2 2 OK
HBAC Rules 16 16 OK
SUDO Rules 11 11 OK
DNS Zones 6 6 OK
Certificates 155 155 OK
LDAP Conflicts NO NO OK
Ghost Replicas NO NO OK
Anonymous BIND YES YES OK
Microsoft ADTrust YES YES OK
Replication Status ns02 0 ns01 0
=========================================
Would you, or anyone else in the list, be able to tell me what permissions
I should be setting? If I use my own account, I get the same result as the
directory admin.
Thanks again,
Anthony Clark
On Wed, Aug 16, 2017 at 10:39 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote:
> Hello All,
>
> I was wondering if anyone has written a health check script for FreeIPA?
>
> How do you all check replication (and IPA server health)?
>
https://github.com/peterpakos/ipa_check_consistency/
--
/ Alexander Bokovoy