Hi List, I use ipa_check_consistency <https://github.com/peterpakos/checkipaconsistency/tree/v1.3.0> as one of my Nagios monitors. It runs every 5 minutes on each ipa server. For example:
[root@ipa0 ~]# /usr/local/sbin/ipa_check_consistency -d example.com -H ipa0 Directory Manager password: FreeIPA servers: ipa0 STATE ================================= Active Users 1422 OK Stage Users 0 OK Preserved Users 10 OK User Groups 75 OK Hosts 848 CRITICAL Host Groups 39 OK HBAC Rules 593 OK SUDO Rules 8 OK DNS Zones 16 OK Certificates 244 OK LDAP Conflicts NO OK Ghost Replicas NO OK Anonymous BIND YES OK Replication Status ipa2 0 OK ipa1 0 ipa3 0 ipa5 0 ================================= [root@ipa0 ~]# All ipa servers report OK for all components but there is one ipa server which alerts CRITICAL everyday multiple times. The inconsistency alers are in different components, for example, "Hosts", "Active Users", and so on, however, it never alerts for "Replication Status" and "LDAP Conflicts". This is also the only ipa server within the domain which I see "Timed out" like the following in its /var/log/dirsrv/slapd-EXAMPLE-COM/errors log: [14/Sep/2021:06:55:40.694662470 -0700] - ERR - slapd_poll - (429) - Timed out [14/Sep/2021:16:08:45.441598637 -0700] - ERR - slapd_poll - (1211) - Timed out [14/Sep/2021:16:08:55.452150573 -0700] - ERR - slapd_poll - (1211) - Timed out [14/Sep/2021:16:09:05.460069764 -0700] - ERR - slapd_poll - (1211) - Timed out However, the timestamps of the above may not match when ipa_check_consistency alerts. This ipa server's OS is Centos 7-8.2003.0 and IPA version is 4.6.8, API: 2.237. [root@ipa0 ~]# rpm -qa 389\* 389-ds-base-snmp-1.3.10.1-14.el7_8.x86_64 389-ds-base-libs-1.3.10.1-14.el7_8.x86_64 389-ds-base-1.3.10.1-14.el7_8.x86_64 [root@ipa0 ~]# rpm -qa slapi\* slapi-nis-0.56.0-13.el7.x86_64 [root@ipa0 ~]# This may not be the same issue or connected. However, I feel that something in its configuration is not correct with this ipa server but do not know what. Since I have other ipa servers which have the same OS, ipa version and so on but do not exhibit this behavior. Does anyone have any ideas for troubleshooting? Thanks! Kathy.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure