Re: [Freeipa-users] Test connectivity before joining domain

2014-10-27 Thread Rich Megginson 

On 10/27/2014 06:13 AM, Innes, Duncan wrote:

Hi,
Have been using `ping` to test connectivity from our clients to the 
various IPA servers around the WAN before running an ldapsearch to 
pull some details about the client from the LDAP database.
Several new VLAN's have now come online that do not permit ping 
traffic to be transmitted outside the VLAN, so clients on these LAN's 
think they can't see any of my IPA servers and then fail the domain 
join during the kickstart phase.
Wondering if there's a consensus on how to check connectivity to IPA 
servers on the network?  Something that I can use during the kickstart 
post-install phase.

Current effort is:
wget --timeout=1 --tries=1 --no-check-certificate 
https://ipaserver1.example.com
and then test $? for result.  But this only tests ports 80/443 - which 
authentication clients wont necessarily have access on.  Can I 
reliably test the other FreeIPA ports?  389, 636,


389: ldapsearch -xLLL -h ipaserver1.example.com -p 389 -s base -b 

636: LDAPTLS_REQCERT=never ldapsearch -xLLL -H 
ldaps://ipaserver1.example.com -s base -b 



88, 464?  These are the ports that clients have to be allowed access 
to the IPA servers.

Cheers
Duncan

This message has been checked for viruses and spam by the Virgin Money 
email scanning system powered by Messagelabs.


This e-mail is intended to be confidential to the recipient. If you 
receive a copy in error, please inform the sender and then delete this 
message.


Virgin Money plc - Registered in England and Wales (Company no. 
6952311). Registered office - Jubilee House, Gosforth, Newcastle upon 
Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential 
Regulation Authority and regulated by the Financial Conduct Authority 
and the Prudential Regulation Authority.


The following companies also trade as Virgin Money. They are both 
authorised and regulated by the Financial Conduct Authority, are 
registered in England and Wales and have their registered office at 
Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money 
Personal Financial Service Limited (Company no. 3072766) and Virgin 
Money Unit Trust Managers Limited (Company no. 3000482).


For further details of Virgin Money group companies please visit our 
website at virginmoney.com





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Test connectivity before joining domain

2014-10-27 Thread Simo Sorce 
On Mon, 27 Oct 2014 12:13:46 -
Innes, Duncan duncan.in...@virginmoney.com wrote:

 Hi,
  
 Have been using `ping` to test connectivity from our clients to the
 various IPA servers around the WAN before running an ldapsearch to
 pull some details about the client from the LDAP database.
  
 Several new VLAN's have now come online that do not permit ping
 traffic to be transmitted outside the VLAN, so clients on these LAN's
 think they can't see any of my IPA servers and then fail the domain
 join during the kickstart phase.
  
 Wondering if there's a consensus on how to check connectivity to IPA
 servers on the network?  Something that I can use during the kickstart
 post-install phase.
  
 Current effort is:
  
 wget --timeout=1 --tries=1 --no-check-certificate
 https://ipaserver1.example.com
  
 and then test $? for result.  But this only tests ports 80/443 - which
 authentication clients wont necessarily have access on.  Can I
 reliably test the other FreeIPA ports?  389, 636, 88, 464?  These are
 the ports that clients have to be allowed access to the IPA servers.

Duncan,
if you know python you can look into the ipa-replica-install tool, as
it does a full check of accessibility. You do not need all those tests
(as you do not need connection back from the server for example). But
you can take inspiration there to see how we test each service.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project