I know this is an old thread, but there are no changes to FreeIPA that cnmonitor might conflict with are there?

On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <jochen@jochen.org
> <mailto:jochen@jochen.org>> wrote:
>    I'm using https://github.com/peterpakos/checkipaconsistency
>    <https://github.com/peterpakos/checkipaconsistency> to monitor
>    my replicas.
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.

There are not that many plugins doing this that I know of.

I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.

For a more full-blown view there is http://cnmonitor.sourceforge.net/

389-ds instructions for this are at

The team has talked about a monitoring script but for now Peter's script
is filling the void.

> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
> Any way we can help this happen?
>    Right now we had some problems with certificates not/halfway renewing,
>    so some tool to check LDAP against the different cert-stores might be
>    helpful.
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.

Server certs in IPA are good for 2 years.

We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org