Alex Corcoles via FreeIPA-users wrote: > On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <joc...@jochen.org > <mailto:joc...@jochen.org>> wrote: > > I'm using https://github.com/peterpakos/checkipaconsistency > <https://github.com/peterpakos/checkipaconsistency> to monitor > my replicas. > > > Yeah, but I'm not exactly reassured by choosing on of the many plugins > out there- or running them all. It would be great to push for an > official check.
There are not that many plugins doing this that I know of. I'm pretty sure there is a nagios script that looks at the agreement in LDAP, or the output of ipa-replica-manage list -v `hostname` to look for replication issues. For a more full-blown view there is http://cnmonitor.sourceforge.net/ 389-ds instructions for this are at http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.html The team has talked about a monitoring script but for now Peter's script is filling the void. > > I'm might be willing to help, but I'd need documentation about what (and > how) to check, but that's basically 90% of the work. I would propose > assimilating the best-looking plugin out there and expanding it every > time sometime reports some broken thing that needs proactive fixing. > > Any way we can help this happen? > > Right now we had some problems with certificates not/halfway renewing, > so some tool to check LDAP against the different cert-stores might be > helpful. > > > $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d") > > Actually changing "3 years" to something inferior to the margin FreeIPA > starts renewing certificates should warn you that something is amiss. Server certs in IPA are good for 2 years. We have in mind a tool to troubleshoot cert issues but haven't yet started work on it. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org