Hallo, right now checkipaconsistency reports an error when not all IPA servers havew AD trust enabled. My first two IPA servers running CentOS 7 do have KRA enabled, but installing KRA on a new CentOS 8 replica failed. Would it be useful to check that in checkipaconsistency?
If yes, here's my first shot at it. diff --git a/checkipaconsistency/freeipaserver.py b/checkipaconsistency/freeipaserver.py index bdefe70..a58419b 100644 --- a/checkipaconsistency/freeipaserver.py +++ b/checkipaconsistency/freeipaserver.py @@ -49,6 +49,7 @@ class FreeIPAServer(object): self.ghosts = None self.bind = None self.msdcs = None + self.kra = None self.replicas = None self.healthy_agreements = False @@ -94,6 +95,7 @@ class FreeIPAServer(object): self.conflicts = self._count_ldap_conflicts() self.ghosts = self._ghost_replicas() self.bind = self._anon_bind() + self.kra = self._kra() self.msdcs = self._ms_adtrust() self.replicas, self.healthy_agreements = self._replication_agreements() @@ -385,6 +387,25 @@ class FreeIPAServer(object): self._log.debug(r) return r + def _kra(self): + self._log.debug('Checking KRA...%s' % self._fqdn) + r = False + results = self._search( + 'cn=KRA,cn=%s,cn=masters,cn=ipa,cn=etc,%s' % ( self._fqdn , self._base_dn), + '(ipaConfigString=*)', + ['ipaConfigString'] + ) + self._log.debug(results) + if type(results) == list and len(results) > 0: + #dn, attrs = results[0] + + #e = attrs['ipaConfigString'][1].decode('utf-8') + #r = e['enabledService'].decode('utf-8') + r = True + else: + r = False + return r + def _ms_adtrust(self): self._log.debug('Checking for MS ADTrust DNS records...') record = '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.%s' % self._domain diff --git a/checkipaconsistency/main.py b/checkipaconsistency/main.py index 858b89a..242418e 100755 --- a/checkipaconsistency/main.py +++ b/checkipaconsistency/main.py @@ -134,6 +134,7 @@ class Main(object): ('ghosts', 'Ghost Replicas'), ('bind', 'Anonymous BIND'), ('msdcs', 'Microsoft ADTrust'), + ('kra', 'KRA Status'), ('replicas', 'Replication Status') ]) @@ -156,7 +157,7 @@ class Main(object): parser.add_argument('-n', nargs='?', dest='nagios_check', help='Nagios plugin mode', default='not_set', choices=['', 'all', 'users', 'susers', 'pusers', 'hosts', 'services', 'ugroups', 'hgroups', 'ngroups', 'hbac', 'sudo', 'zones', 'certs', 'conflicts', 'ghosts', 'bind', - 'msdcs', 'replicas']) + 'msdcs', 'kra', 'replicas']) parser.add_argument('-w', '--warning', type=int, dest='warning', default=1, help='number of failed checks before warning (default: %(default)s)') parser.add_argument('-c', '--critical', type=int, dest='critical', Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org