Formerly known as ipa_check_consistency and check_ipa_consistency
The tool can be used as a standalone consistency checker as well as a
Nagios/Opsview plug-in (check Nagios section below <#nagios-plug-in-mode>__ for more info).
The script was originally written and then developed in BASH (until
version
v1.3.0 <https://github.com/peterpakos/checkipaconsistency/tree/v1.3.0>__)
and eventually ported to Python in v2.0.0.
It has been tested with multiple FreeIPA 4.2+ deployments across a range of operating systems.
Requirements:
requirements.txt <https://github.com/peterpakos/checkipaconsistency/blob/master/requirements.txt>__If you spot any problems or have any improvement ideas then feel free to open an issue and I will be glad to look into it for you.
A recommended way of installing the tool is pip install.
Once installed, a command line tool cipa should be available in your
system's PATH.
WARNING: Never attempt pip install as root!
**If you do, pip will install new dependencies globally and override
existing packages with potentially incompatible versions. This is
particularly important when installing ``cipa`` on a machine running
FreeIPA server.**
**You should either install the package as an unprivileged user with
``pip install --user`` or use a virtual environment.**
pip install
~~~~~~~~~~~
Please note, in RHEL/CentOS systems you may need to install the
following packages:
::
$ sudo yum install python-devel openldap-devel
The tool is available in PyPI and can be installed using pip:
::
$ pip install --user checkipaconsistency
$ cipa --help
Manual install
~~~~~~~~~~~~~~
Run the following command to install required Python modules:
::
$ git clone https://github.com/peterpakos/checkipaconsistency.git
$ cd checkipaconsistency
$ pip install --user -r requirements.txt
$ ./cipa --help
Configuration
-------------
By default, the tool reads its configuration from
``~/.config/checkipaconsistency`` file (the location can be overridden
by setting environment variable ``XDG_CONFIG_HOME``). If the config file
(or directory) does not exist then it will be automatically created and
populated with sample config upon the next run. Alternatively, you can
specify all required options directly from the command line.
Help
----
::
$ cipa --help
usage: cipa [-H [HOSTS [HOSTS ...]]] [-d [DOMAIN]] [-D [BINDDN]] [-W [BINDPW]]
[--help] [--version] [--debug] [--verbose] [--quiet]
[-l [LOG_FILE]] [--no-header] [--no-border]
[-n [{,all,users,susers,pusers,hosts,services,ugroups,hgroups,ngroups,hbac,sudo,zones,certs,conflicts,ghosts,bind,msdcs,replicas}]]
[-w WARNING] [-c CRITICAL]
Tool to check consistency across FreeIPA servers
optional arguments:
-H [HOSTS [HOSTS ...]], --hosts [HOSTS [HOSTS ...]]
list of IPA servers
-d [DOMAIN], --domain [DOMAIN]
IPA domain
-D [BINDDN], --binddn [BINDDN]
Bind DN (default: cn=Directory Manager)
-W [BINDPW], --bindpw [BINDPW]
Bind password
--help show this help message and exit
--version show program's version number and exit
--debug debugging mode
--verbose verbose mode
--quiet do not log to console
-l [LOG_FILE], --log-file [LOG_FILE]
log to file (./cipa.log by default)
--no-header disable table header
--no-border disable table border
-n [{,all,users,susers,pusers,hosts,services,ugroups,hgroups,ngroups,hbac,sudo,zones,certs,conflicts,ghosts,bind,msdcs,replicas}]
Nagios plugin mode
-w WARNING, --warning WARNING
number of failed checks before warning (default: 1)
-c CRITICAL, --critical CRITICAL
Example
-------
::
$ cipa -d ipa.example.com -W ********
+--------------------+----------+----------+----------+-----------+----------+----------+-------+
| FreeIPA servers: | ipa01 | ipa02 | ipa03 | ipa04 | ipa05 | ipa06 | STATE |
+--------------------+----------+----------+----------+-----------+----------+----------+-------+
| Active Users | 1199 | 1199 | 1199 | 1199 | 1199 | 1199 | OK |
| Stage Users | 0 | 0 | 0 | 0 | 0 | 0 | OK |
| Preserved Users | 0 | 0 | 0 | 0 | 0 | 0 | OK |
| Hosts | 357 | 357 | 357 | 357 | 357 | 357 | OK |
| Services | 49 | 49 | 49 | 49 | 49 | 49 | OK |
| User Groups | 55 | 55 | 55 | 55 | 55 | 55 | OK |
| Host Groups | 29 | 29 | 29 | 29 | 29 | 29 | OK |
| Netgroups | 11 | 11 | 11 | 11 | 11 | 11 | OK |
| HBAC Rules | 3 | 3 | 3 | 3 | 3 | 3 | OK |
| SUDO Rules | 2 | 2 | 2 | 2 | 2 | 2 | OK |
| DNS Zones | 114 | 114 | 114 | 114 | 114 | 114 | OK |
| Certificates | 0 | 0 | 0 | 0 | 0 | 0 | OK |
| LDAP Conflicts | 0 | 0 | 0 | 0 | 0 | 0 | OK |
| Ghost Replicas | 0 | 0 | 0 | 0 | 0 | 0 | OK |
| Anonymous BIND | ON | ON | ON | ON | ON | ON | OK |
| Microsoft ADTrust | False | False | False | False | False | False | OK |
| Replication Status | ipa03 0 | ipa03 0 | ipa04 0 | ipa03 0 | ipa03 0 | ipa04 0 | OK |
| | ipa04 0 | ipa04 0 | ipa05 0 | ipa01 0 | ipa01 0 | | |
| | ipa05 0 | ipa05 0 | ipa01 0 | ipa02 0 | ipa02 0 | | |
| | ipa02 0 | ipa01 0 | ipa02 0 | ipa06 0 | | | |
+--------------------+----------+----------+----------+-----------+----------+----------+-------+
Debug mode
----------
If you experience any problems with the tool, try running it in debug
mode:
::
$ cipa --debug
2017-12-22 20:05:04,494 [main] DEBUG Namespace(binddn=None, bindpw=None, critical=2, debug=True, disable_border=False, disable_header=False, domain=None, hosts=None, log_file=None, nagios_check=None, quiet=False, warning=1)
2017-12-22 20:05:04,494 [main] DEBUG Initialising...
2017-12-22 20:05:04,494 [main] DEBUG Config file not found at /Users/peter/.config/checkipaconsistency
2017-12-22 20:05:04,494 [main] INFO Initial config saved to /Users/peter/.config/checkipaconsistency - PLEASE EDIT IT!
2017-12-22 20:05:04,495 [main] CRITICAL IPA domain not set
For more verbosity use ``--debug --verbose`` arguments.
Nagios plug-in mode
-------------------
The tool can be easily transformed into a Nagios/Opsview check:
::
$ pip install checkipaconsistency
$ su - nagios
$ vim ~/.config/checkipaconsistency
$ ln -s `which cipa` /usr/local/nagios/libexec/check_ipa_consistency
Perform all checks using default warning/critical thresholds:
::
$ /usr/local/nagios/libexec/check_ipa_consistency -n all
OK - 15/15 checks passed
Perform specific check with custom alerting thresholds:
::
$ /usr/local/nagios/libexec/check_ipa_consistency -n users -w 2 -c3
OK - Active Users
LDAP Conflicts
~~~~~~~~~~~~~~
Normally conflicting changes between replicas are resolved automatically
(the most recent change takes precedence). However, there are cases
where manual intervention is required. If you see LDAP conflicts in the
output of this script, you need to find the conflicting entries and
decide which of them should be preserved/deleted.
More information on solving common replication conflicts can be found
`here <https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_replication-solving_common_replication_conflicts>`__.
FAQs
Tool to check consistency across FreeIPA servers
We found that checkipaconsistency demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Security News
The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilities.