Thank you!

On Wed, Aug 16, 2017 at 10:30 AM, Ludwig Krispenz via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
Hello All,

I was wondering if anyone has written a health check script for FreeIPA?
 don't think soemthing IPA specific exists, but soemone can correct me

How do you all check replication (and IPA server health)?
 There are two approaches:
1] check the individual agreements, especially the update status
2] check the RUV (replication update vector) as you did with your search below.
Both approaches need to be handled with care because of the dynamics of replication

1] you always only get the status of a single agreement, the update status can change and many "failure" states are transient. A documentation of the update states of an agreement can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Configuration_Command_and_File_Reference/index.html#replication_agreement_status

2] the RUV, as found by the search for "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))"  tracks the highest csn a server has  seen for a specific replica id, the maxcsn which is the last csn in the output like:
nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389}  529d000000610000 58deae97000500610000

If replication is in sync the RUVs on all servers will be identical, but in a highly active environment you will probably never be in this state, there will be changes on soem servers not yet replicated to all others. But what you should see is that the maxcsns of each replicaid, if not equal, are changing and moving forward.

There is also a script delivered with 389-ds to monitor replication, but I myself usually look at the raw ruvs. You can have a look at the script:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Configuration_Command_and_File_Reference/index.html#repl_monitor.pl_Monitor_replication_status

I did some digging and know that I can run this command to check replication:

ldapsearch -D "cn=directory manager" -W -b "o=ipaca" "(&(objectclass=nstombstone)(nsUniqueId=ffffffff-ffffffff-ffffffff-ffffffff))" nscpentrywsi

But the output didn't show an error:

ns01:

nscpentrywsi: nsDS5ReplicaId: 96
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
 528b000000600000 599444dd000000600000
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
 529d000000610000 58deae97000500610000

ns02:

nscpentrywsi: nsDS5ReplicaId: 97
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
 529d000000610000 58deae97000500610000
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
 528b000000600000 595a8aff000100600000

But running this showed a difference:

[root@ns02 ~]# ipa user-find example
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------

[root@ns01 ~]# ipa user-find example
--------------
1 user matched
--------------
  User login: example
... extra lines removed ...
----------------------------
Number of entries returned 1
----------------------------

(running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net" and then "ipa-csreplica-manage -v re-initialize --from ns01.dev.example.net" did fix the error, but I wasn't certain "why" it worked)

Which log files on my two hosts should I be looking at to find out if there's an error in IPA?

Normally I'd run a script and then, depending on the exit code, I'd use "zabbix_sender" to push a status code to my monitoring system.  Does anyone else do something like that?

Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account and searched for a bunch of terms, but I could have missed something.

Thanks for any help on this, I'm very puzzled both on the health monitoring and the replication issue.

-Anthony


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org


-- 
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, 
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org