Hello Again Alexander,

Do you know what permissions are needed to allow a particular user to be
used as the bind-dn for that script?

I tried using these two LDIFs but got a different result than if I used my
directory admin user (which I don't want to use in a zabbix script for
obvious security reasons):

dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;)

dn: cn="o=ipaca",cn=mapping tree,cn=config
changetype: modify
add: aci
aci:
(targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read, search,
compare) groupdn =
"ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;)


./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net
uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password:

(above command gives incorrect output) =
FreeIPA servers:    ns01    ns02    STATE
=========================================
Active Users                        OK
Stage Users                         OK
Preserved Users                     OK
User Groups         67      67      OK
Hosts                               OK
Host Groups                         OK
HBAC Rules          16      16      OK
SUDO Rules          11      11      OK
DNS Zones           0       0       OK
Certificates        0       0       OK
LDAP Conflicts      NO      NO      OK
Ghost Replicas      ERROR   ERROR   FAIL
Anonymous BIND                      OK
Microsoft ADTrust   YES     YES     OK
Replication Status  ns02 0  ns01 0
=========================================

(correct output if directory admin is used) =
FreeIPA servers:    ns01    ns02    STATE
=========================================
Active Users        192     192     OK
Stage Users         0       0       OK
Preserved Users     0       0       OK
User Groups         67      67      OK
Hosts               45      45      OK
Host Groups         2       2       OK
HBAC Rules          16      16      OK
SUDO Rules          11      11      OK
DNS Zones           6       6       OK
Certificates        155     155     OK
LDAP Conflicts      NO      NO      OK
Ghost Replicas      NO      NO      OK
Anonymous BIND      YES     YES     OK
Microsoft ADTrust   YES     YES     OK
Replication Status  ns02 0  ns01 0
=========================================


Would you, or anyone else in the list, be able to tell me what permissions
I should be setting?  If I use my own account, I get the same result as the
directory admin.

Thanks again,

Anthony Clark



On Wed, Aug 16, 2017 at 10:39 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote:
>
>> Hello All,
>>
>> I was wondering if anyone has written a health check script for FreeIPA?
>>
>> How do you all check replication (and IPA server health)?
>>
> https://github.com/peterpakos/ipa_check_consistency/
>
>
> --
> / Alexander Bokovoy
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to