Hello Again Alexander, Do you know what permissions are needed to allow a particular user to be used as the bind-dn for that script?
I tried using these two LDIFs but got a different result than if I used my directory admin user (which I don't want to use in a zabbix script for obvious security reasons): dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) dn: cn="o=ipaca",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) ./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password: (above command gives incorrect output) = FreeIPA servers: ns01 ns02 STATE ========================================= Active Users OK Stage Users OK Preserved Users OK User Groups 67 67 OK Hosts OK Host Groups OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 0 0 OK Certificates 0 0 OK LDAP Conflicts NO NO OK Ghost Replicas ERROR ERROR FAIL Anonymous BIND OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 ========================================= (correct output if directory admin is used) = FreeIPA servers: ns01 ns02 STATE ========================================= Active Users 192 192 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 67 67 OK Hosts 45 45 OK Host Groups 2 2 OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 6 6 OK Certificates 155 155 OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 ========================================= Would you, or anyone else in the list, be able to tell me what permissions I should be setting? If I use my own account, I get the same result as the directory admin. Thanks again, Anthony Clark On Wed, Aug 16, 2017 at 10:39 AM, Alexander Bokovoy <[email protected]> wrote: > On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote: > >> Hello All, >> >> I was wondering if anyone has written a health check script for FreeIPA? >> >> How do you all check replication (and IPA server health)? >> > https://github.com/peterpakos/ipa_check_consistency/ > > > -- > / Alexander Bokovoy >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
