Back to the main page

Nagios plugin to check (Free)IPA replication

In this use case, there are 4 IPA servers, all masters, and replicate among them. ldap01 replicate with ldap02,03. ldap02 replicate with ldap01. ldap03 replicate with ldap01,04. ldap04 replicate with ldap03.
These are some of commands to review this, (this is for Domain level 0): 
 

# ipa domainlevel-get
-----------------------
Current domain level: 0
-----------------------
To list all masters: 
 

[root@ldap01 ~]# /sbin/ipa-replica-manage list

Directory Manager password: type-passwd
ldap02: master
ldap03: master
ldap04: master
ldap01: master
List server's replication agreement (-v for verbose) 
 

[root@ca-ldap01 ~]# /sbin/ipa-replica-manage -v list ldap01

ldap02: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-08-15 20:15:22+00:00
ldap03: replica
  last init status: None
  last init ended: 1970-01-01 00:00:00+00:00
  last update status: Error (0) Replica acquired successfully: Incremental update succeeded
  last update ended: 2018-08-15 20:15:22+00:00
List replication ID in use 
 

[root@ldap01 ~]# /sbin/ipa-replica-manage list-ruv
Replica Update Vectors:
        ldap01:389: 4
        ldap04:389: 16
        ldap03:389: 15
        ldap02:389: 18
Certificate Server Replica Update Vectors:
        ldap02:389: 56
        ldap03:389: 66
        ldap01:389: 96
        ldap04:389: 1195
For example, replica from ldap01 to ldap03 is broken, so you can SSH to ldap03 and manually force replication from ldap01 to ldap03. 
 

[root@ldap03] ipa-replica-manage -v force-sync --from=ldap01
So this is Nagios plugin to reports if replica fails. 
 

#!/bin/bash

# nagios plugin to check replica of IPA server
# Replica status numbers
# https://directory.fedoraproject.org/docs/389ds/FAQ/replication-update-status.html

# array example:
# arr=(Hello World)
# echo ${arr[0]}     # print first item (Hello) 
# echo ${arr[*]}     # All of the items in the array (Hello World)
# echo  ${!arr[*]}   # All of the indexes in the array (0 1)
# echo   ${#arr[*]}  # Number of items in the array (2)
# echo   ${#arr[0]}  # Length of item zero (5)
# ---------------------------------------------

# Nagios plugin return values
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
STATE_UNKNOWN=3
STATE_DEPENDENT=4

# end script with output
endscript () {
        echo "${RESULT}"
        exit ${EXIT_STATUS}
}

# check if server is IPA
systemctl status -l ipa.service > /dev/null
exitstatus_systemctl=$?
ipactl status > /dev/null
exitstatus_ipactl=$?

if [ ${exitstatus_systemctl} -ne 0 -a ${exitstatus_ipactl} -ne 0 ]; then
#if [ $? -ne 0 ]; then
 RESULT="I am not IPA server" ; EXIT_STATUS=3 
 endscript
fi

thisserver=`hostname`

# IPA Directory manager's password is encrypted
# this is how it's decrypted
ipa_passwd=`echo "qwerty" | openssl enc -base64 -d`

# get servers that participate in replication
listservers=`/sbin/ipa-replica-manage -p ${ipa_passwd} \
            list -v ${thisserver} | grep -E replica$ | awk -F: '{print $1}'` > /dev/null

replicastatus=`/sbin/ipa-replica-manage -p ${ipa_passwd} \
              list -v ${thisserver} | grep "last update status" | awk -F\( '{print $2}' | awk -F\) '{print $1}'` > /dev/null

listserversarray=(${listservers})
server_index=${!listserversarray[*]} #; echo ${server_index}
replicastatusarray=(${replicastatus})
replica_status_index=${!replicastatusarray[*]} #; echo ${replica_status_index}
#
#echo Server are: ${listserversarray[*]}         # All of the items in the array
#echo Replica status are: ${replicastatusarray[*]}         # All of the items in the array

# initial replica status is okay
total_status=OKAY

# for each server, check its status, if some is not zero, then total is not okay
# https://directory.fedoraproject.org/docs/389ds/FAQ/replication-update-status.html#general-send_updates-result
# 16,17,18 are okay exit status
ok_error="[0|16|17|18]"

for i in ${server_index}
do
  # regex match to [0|16|17|18]
  if [[ ! ${replicastatusarray[${i}]} =~ ${ok_error} ]]; then
     total_status=NOT_OKAY
  fi
done
#
# now assign values to RESULT and EXIT_STATUS
if [ ${total_status} = OKAY ]; then
      RESULT=`echo -n "Replica status: "
         for i in ${server_index}
         do
           echo -n " ${listserversarray[${i}]} (${replicastatusarray[${i}]}) "
         done
      `
      EXIT_STATUS=${STATE_OK}
else
      RESULT=`echo -n "Replica status: "
         for i in ${server_index}
         do
           echo -n " ${listserversarray[${i}]} (${replicastatusarray[${i}]}) "
         done
      `
      EXIT_STATUS=${STATE_WARNING}
fi

endscript
If you run this manually, outside of Nagios, expect this result: 
 

[root@ldap03 ~]# nagioscheck-ipa-replication.sh
ipa: INFO: The ipactl command was successful
Replica status:  ldap01.domain.ca (0)  ldap04.domain.ca (16)
Back to the main page