Thanks for all the suggestions guys.

I was already working on an ldapsearch, so in the end I've gone with:

/usr/bin/ldapsearch -h ipaserver.example.com -x -LLL -o nettimeout=2 -b
"fqdn=client.example.com,cn=computers,cn=accounts,dc=example,dc=com"
localityName

Reason being that we demand an object is pre-created in IdM/FreeIPA
before the install takes place.  We then use localityName to describe
roughly where in our maze of VLAN's the client actually sits.  I know I
could search for something more generic to provide a response, but it
seems to make sense to check that the data we expect for a client is
actually in LDAP already.

There's a list of 8 IPA servers to check, so the timeout ensures we
don't waste time waiting around for responses that just aren't going to
come.

Working well for now.

Cheers

Duncan

-----Original Message-----
From: Simo Sorce [mailto:s...@redhat.com] 
Sent: 27 October 2014 13:45
To: Innes, Duncan
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Test connectivity before joining domain

On Mon, 27 Oct 2014 12:13:46 -0000
"Innes, Duncan" <duncan.in...@virginmoney.com> wrote:

> Hi,
>  
> Have been using `ping` to test connectivity from our clients to the 
> various IPA servers around the WAN before running an ldapsearch to 
> pull some details about the client from the LDAP database.
>  
> Several new VLAN's have now come online that do not permit ping 
> traffic to be transmitted outside the VLAN, so clients on these LAN's 
> think they can't see any of my IPA servers and then fail the domain 
> join during the kickstart phase.
>  
> Wondering if there's a consensus on how to check connectivity to IPA 
> servers on the network?  Something that I can use during the kickstart

> post-install phase.
>  
> Current effort is:
>  
> wget --timeout=1 --tries=1 --no-check-certificate 
> https://ipaserver1.example.com
>  
> and then test $? for result.  But this only tests ports 80/443 - which

> authentication clients wont necessarily have access on.  Can I 
> reliably test the other FreeIPA ports?  389, 636, 88, 464?  These are 
> the ports that clients have to be allowed access to the IPA servers.

Duncan,
if you know python you can look into the ipa-replica-install tool, as it
does a full check of accessibility. You do not need all those tests (as
you do not need connection back from the server for example). But you
can take inspiration there to see how we test each service.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

This message has been checked for viruses and spam by the Virgin Money
email scanning system powered by Messagelabs.

This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.

This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Jubilee House, Gosforth, Newcastle 
upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to