I know this is an old thread, but there are no changes to FreeIPA that
cnmonitor might conflict with are there?
On Thursday, February 1, 2018 1:34 PM, Rob Crittenden via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> wrote:
Alex Corcoles via FreeIPA-users wrote:
> On Thu, Feb 1, 2018 at 5:25 PM, Jochen Hein <joc...@jochen.org
> <mailto:joc...@jochen.org>> wrote:
>
> I'm using https://github.com/peterpakos/checkipaconsistency
> <https://github.com/peterpakos/checkipaconsistency> to monitor
> my replicas.
>
>
> Yeah, but I'm not exactly reassured by choosing on of the many plugins
> out there- or running them all. It would be great to push for an
> official check.
There are not that many plugins doing this that I know of.
I'm pretty sure there is a nagios script that looks at the agreement in
LDAP, or the output of ipa-replica-manage list -v `hostname` to look for
replication issues.
For a more full-blown view there is http://cnmonitor.sourceforge.net/
389-ds instructions for this are at
http://directory.fedoraproject.org/docs/389ds/howto/howto-cn-equals-monitor-ldap-monitoring.html
The team has talked about a monitoring script but for now Peter's script
is filling the void.
>
> I'm might be willing to help, but I'd need documentation about what (and
> how) to check, but that's basically 90% of the work. I would propose
> assimilating the best-looking plugin out there and expanding it every
> time sometime reports some broken thing that needs proactive fixing.
>
> Any way we can help this happen?
>
> Right now we had some problems with certificates not/halfway renewing,
> so some tool to check LDAP against the different cert-stores might be
> helpful.
>
>
> $ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")
>
> Actually changing "3 years" to something inferior to the margin FreeIPA
> starts renewing certificates should warn you that something is amiss.
Server certs in IPA are good for 2 years.
We have in mind a tool to troubleshoot cert issues but haven't yet
started work on it.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/UIEJ5BBTMILSUB67A6GJWD2HR5PRESLL/
