[Freeipa-users] Re: Replication health check
On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote: Hello Again Alexander, Do you know what permissions are needed to allow a particular user to be used as the bind-dn for that script? 'cn=Directory Manager' is expected. I'm not an author so you can open issues on gihub for the project itself. I tried using these two LDIFs but got a different result than if I used my directory admin user (which I don't want to use in a zabbix script for obvious security reasons): dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) dn: cn="o=ipaca",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) ./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password: (above command gives incorrect output) = FreeIPA servers:ns01ns02STATE = Active UsersOK Stage Users OK Preserved Users OK User Groups 67 67 OK Hosts OK Host Groups OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 0 0 OK Certificates0 0 OK LDAP Conflicts NO NO OK Ghost Replicas ERROR ERROR FAIL Anonymous BIND OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 = (correct output if directory admin is used) = FreeIPA servers:ns01ns02STATE = Active Users192 192 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 67 67 OK Hosts 45 45 OK Host Groups 2 2 OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 6 6 OK Certificates155 155 OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 = Would you, or anyone else in the list, be able to tell me what permissions I should be setting? If I use my own account, I get the same result as the directory admin. Sadly, I don't know exact permissions to be used. They need to be found out experimentally. This is one of reasons why this script is not a part of FreeIPA itself -- we wanted to find out a concise set of required permissions before including it. Unfortunately, in couple years that the script exists nobody took time to investigate what permissions were really needed. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication health check
Hello Again Alexander, Do you know what permissions are needed to allow a particular user to be used as the bind-dn for that script? I tried using these two LDIFs but got a different result than if I used my directory admin user (which I don't want to use in a zabbix script for obvious security reasons): dn: cn="dc=dev,dc=healthmedia,dc=net",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) dn: cn="o=ipaca",cn=mapping tree,cn=config changetype: modify add: aci aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=serviceaccounts,cn=groups,cn=accounts,dc=dev,dc=example,dc=net";;) ./ipa_check_consistency -H "ns01 ns02" -d dev.example.net -D uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net uid=zabbixbind,cn=users,cn=accounts,dc=dev,dc=example,dc=net password: (above command gives incorrect output) = FreeIPA servers:ns01ns02STATE = Active UsersOK Stage Users OK Preserved Users OK User Groups 67 67 OK Hosts OK Host Groups OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 0 0 OK Certificates0 0 OK LDAP Conflicts NO NO OK Ghost Replicas ERROR ERROR FAIL Anonymous BIND OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 = (correct output if directory admin is used) = FreeIPA servers:ns01ns02STATE = Active Users192 192 OK Stage Users 0 0 OK Preserved Users 0 0 OK User Groups 67 67 OK Hosts 45 45 OK Host Groups 2 2 OK HBAC Rules 16 16 OK SUDO Rules 11 11 OK DNS Zones 6 6 OK Certificates155 155 OK LDAP Conflicts NO NO OK Ghost Replicas NO NO OK Anonymous BIND YES YES OK Microsoft ADTrust YES YES OK Replication Status ns02 0 ns01 0 = Would you, or anyone else in the list, be able to tell me what permissions I should be setting? If I use my own account, I get the same result as the directory admin. Thanks again, Anthony Clark On Wed, Aug 16, 2017 at 10:39 AM, Alexander Bokovoy wrote: > On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote: > >> Hello All, >> >> I was wondering if anyone has written a health check script for FreeIPA? >> >> How do you all check replication (and IPA server health)? >> > https://github.com/peterpakos/ipa_check_consistency/ > > > -- > / Alexander Bokovoy > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication health check
Thank you!
On Wed, Aug 16, 2017 at 10:30 AM, Ludwig Krispenz via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
>
> Hello All,
>
> I was wondering if anyone has written a health check script for FreeIPA?
>
> don't think soemthing IPA specific exists, but soemone can correct me
>
>
> How do you all check replication (and IPA server health)?
>
> There are two approaches:
> 1] check the individual agreements, especially the update status
> 2] check the RUV (replication update vector) as you did with your search
> below.
> Both approaches need to be handled with care because of the dynamics of
> replication
>
> 1] you always only get the status of a single agreement, the update status
> can change and many "failure" states are transient. A documentation of the
> update states of an agreement can be found here:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Directory_Server/10/html-single/Configuration_Command_
> and_File_Reference/index.html#replication_agreement_status
>
> 2] the RUV, as found by the search for "(&(objectclass=nstombstone)(
> nsUniqueId=---))" tracks the highest csn
> a server has seen for a specific replica id, the maxcsn which is the last
> csn in the output like:
> nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 529d0061
> 58deae9700050061
>
> If replication is in sync the RUVs on all servers will be identical, but
> in a highly active environment you will probably never be in this state,
> there will be changes on soem servers not yet replicated to all others. But
> what you should see is that the maxcsns of each replicaid, if not equal,
> are changing and moving forward.
>
> There is also a script delivered with 389-ds to monitor replication, but I
> myself usually look at the raw ruvs. You can have a look at the script:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Directory_Server/10/html-single/Configuration_Command_
> and_File_Reference/index.html#repl_monitor.pl_Monitor_replication_status
>
>
> I did some digging and know that I can run this command to check
> replication:
>
> ldapsearch -D "cn=directory manager" -W -b "o=ipaca"
> "(&(objectclass=nstombstone)(nsUniqueId=---))"
> nscpentrywsi
>
> But the output didn't show an error:
>
> ns01:
>
> nscpentrywsi: nsDS5ReplicaId: 96
> nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
> 528b0060 599444dd0060
> nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
> 529d0061 58deae9700050061
>
> ns02:
>
> nscpentrywsi: nsDS5ReplicaId: 97
> nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389} 5711
> 529d0061 58deae9700050061
> nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389} 5711
> 528b0060 595a8aff00010060
>
> But running this showed a difference:
>
> [root@ns02 ~]# ipa user-find example
> ---
> 0 users matched
> ---
>
> Number of entries returned 0
>
>
> [root@ns01 ~]# ipa user-find example
> --
> 1 user matched
> --
> User login: example
> ... extra lines removed ...
>
> Number of entries returned 1
>
>
> (running "ipa-replica-manage -v re-initialize --from ns01.dev.example.net"
> and then "ipa-csreplica-manage -v re-initialize --from
> ns01.dev.example.net" did fix the error, but I wasn't certain "why" it
> worked)
>
> Which log files on my two hosts should I be looking at to find out if
> there's an error in IPA?
>
> Normally I'd run a script and then, depending on the exit code, I'd use
> "zabbix_sender" to push a status code to my monitoring system. Does anyone
> else do something like that?
>
> Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail account
> and searched for a bunch of terms, but I could have missed something.
>
> Thanks for any help on this, I'm very puzzled both on the health
> monitoring and the replication issue.
>
> -Anthony
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
> --
> Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill,
> Eric Shander
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le..
[Freeipa-users] Re: Replication health check
On ke, 16 elo 2017, Anthony Clark via FreeIPA-users wrote: Hello All, I was wondering if anyone has written a health check script for FreeIPA? How do you all check replication (and IPA server health)? https://github.com/peterpakos/ipa_check_consistency/ -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: Replication health check
On 08/16/2017 03:46 PM, Anthony Clark via FreeIPA-users wrote:
Hello All,
I was wondering if anyone has written a health check script for FreeIPA?
don't think soemthing IPA specific exists, but soemone can correct me
How do you all check replication (and IPA server health)?
There are two approaches:
1] check the individual agreements, especially the update status
2] check the RUV (replication update vector) as you did with your search
below.
Both approaches need to be handled with care because of the dynamics of
replication
1] you always only get the status of a single agreement, the update
status can change and many "failure" states are transient. A
documentation of the update states of an agreement can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Configuration_Command_and_File_Reference/index.html#replication_agreement_status
2] the RUV, as found by the search for
"(&(objectclass=nstombstone)(nsUniqueId=---))"
tracks the highest csn a server has seen for a specific replica id, the
maxcsn which is the last csn in the output like:
nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389
} 529d0061 58deae9700050061
If replication is in sync the RUVs on all servers will be identical, but
in a highly active environment you will probably never be in this state,
there will be changes on soem servers not yet replicated to all others.
But what you should see is that the maxcsns of each replicaid, if not
equal, are changing and moving forward.
There is also a script delivered with 389-ds to monitor replication, but
I myself usually look at the raw ruvs. You can have a look at the script:
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html-single/Configuration_Command_and_File_Reference/index.html#repl_monitor.pl_Monitor_replication_status
I did some digging and know that I can run this command to check
replication:
ldapsearch -D "cn=directory manager" -W -b "o=ipaca"
"(&(objectclass=nstombstone)(nsUniqueId=---))"
nscpentrywsi
But the output didn't show an error:
ns01:
nscpentrywsi: nsDS5ReplicaId: 96
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389
} 5711
528b0060 599444dd0060
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389
} 5711
529d0061 58deae9700050061
ns02:
nscpentrywsi: nsDS5ReplicaId: 97
nscpentrywsi: nsds50ruv: {replica 97 ldap://ns02.dev.example.net:389
} 5711
529d0061 58deae9700050061
nscpentrywsi: nsds50ruv: {replica 96 ldap://ns01.dev.example.net:389
} 5711
528b0060 595a8aff00010060
But running this showed a difference:
[root@ns02 ~]# ipa user-find example
---
0 users matched
---
Number of entries returned 0
[root@ns01 ~]# ipa user-find example
--
1 user matched
--
User login: example
... extra lines removed ...
Number of entries returned 1
(running "ipa-replica-manage -v re-initialize --from
ns01.dev.example.net " and then
"ipa-csreplica-manage -v re-initialize --from ns01.dev.example.net
" did fix the error, but I wasn't certain
"why" it worked)
Which log files on my two hosts should I be looking at to find out if
there's an error in IPA?
Normally I'd run a script and then, depending on the exit code, I'd
use "zabbix_sender" to push a status code to my monitoring system.
Does anyone else do something like that?
Sorry if this is a FAQ, I have a lot of freeipa-users in my gmail
account and searched for a bunch of terms, but I could have missed
something.
Thanks for any help on this, I'm very puzzled both on the health
monitoring and the replication issue.
-Anthony
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric
Shander
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
