[Freeipa-users] Additional Check for checkipaconsistency - KRA

[Jochen Hein via FreeIPA-users]

Hallo,

right now checkipaconsistency reports an error when not all IPA servers
havew AD trust enabled.  My first two IPA servers running CentOS 7 do
have KRA enabled, but installing KRA on a new CentOS 8 replica failed.
Would it be useful to check that in checkipaconsistency?

If yes, here's my first shot at it.

diff --git a/checkipaconsistency/freeipaserver.py 
b/checkipaconsistency/freeipaserver.py
index bdefe70..a58419b 100644
--- a/checkipaconsistency/freeipaserver.py
+++ b/checkipaconsistency/freeipaserver.py
@@ -49,6 +49,7 @@ class FreeIPAServer(object):
         self.ghosts = None
         self.bind = None
         self.msdcs = None
+        self.kra = None
         self.replicas = None
         self.healthy_agreements = False
 
@@ -94,6 +95,7 @@ class FreeIPAServer(object):
         self.conflicts = self._count_ldap_conflicts()
         self.ghosts = self._ghost_replicas()
         self.bind = self._anon_bind()
+        self.kra = self._kra()
         self.msdcs = self._ms_adtrust()
         self.replicas, self.healthy_agreements = self._replication_agreements()
 
@@ -385,6 +387,25 @@ class FreeIPAServer(object):
         self._log.debug(r)
         return r
 
+    def _kra(self):
+        self._log.debug('Checking KRA...%s' % self._fqdn)
+       r = False
+        results = self._search(
+            'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , 
self._base_dn),
+            '(ipaConfigString=*)',
+            ['ipaConfigString']
+        )
+        self._log.debug(results)
+        if type(results) == list and len(results) > 0:
+            #dn, attrs = results[0]
+
+            #e = attrs['ipaConfigString'][1].decode('utf-8')
+            #r = e['enabledService'].decode('utf-8')
+            r = True
+        else:
+            r = False
+        return r
+
     def _ms_adtrust(self):
         self._log.debug('Checking for MS ADTrust DNS records...')
         record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' 
% self._domain
diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py
index 858b89a..242418e 100755
--- a/checkipaconsistency/main.py
+++ b/checkipaconsistency/main.py
@@ -134,6 +134,7 @@ class Main(object):
             ('ghosts', 'Ghost Replicas'),
             ('bind', 'Anonymous BIND'),
             ('msdcs', 'Microsoft ADTrust'),
+            ('kra', 'KRA Status'),
             ('replicas', 'Replication Status')
         ])
 
@@ -156,7 +157,7 @@ class Main(object):
         parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios 
plugin mode', default='not_set',
                             choices=['', 'all', 'users', 'susers', 'pusers', 
'hosts', 'services', 'ugroups', 'hgroups',
                                      'ngroups', 'hbac', 'sudo', 'zones', 
'certs', 'conflicts', 'ghosts', 'bind',
-                                     'msdcs', 'replicas'])
+                                     'msdcs', 'kra', 'replicas'])
         parser.add_argument('-w', '--warning', type=int, dest='warning',
                             default=1, help='number of failed checks before 
warning (default: %(default)s)')
         parser.add_argument('-c', '--critical', type=int, dest='critical',

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org