To list all masters:# ipa domainlevel-get ----------------------- Current domain level: 0 -----------------------
List server's replication agreement (-v for verbose)[root@ldap01 ~]# /sbin/ipa-replica-manage list Directory Manager password: type-passwd ldap02: master ldap03: master ldap04: master ldap01: master
List replication ID in use[root@ca-ldap01 ~]# /sbin/ipa-replica-manage -v list ldap01 ldap02: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-08-15 20:15:22+00:00 ldap03: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2018-08-15 20:15:22+00:00
For example, replica from ldap01 to ldap03 is broken, so you can SSH to ldap03 and manually force replication from ldap01 to ldap03.[root@ldap01 ~]# /sbin/ipa-replica-manage list-ruv Replica Update Vectors: ldap01:389: 4 ldap04:389: 16 ldap03:389: 15 ldap02:389: 18 Certificate Server Replica Update Vectors: ldap02:389: 56 ldap03:389: 66 ldap01:389: 96 ldap04:389: 1195
So this is Nagios plugin to reports if replica fails.[root@ldap03] ipa-replica-manage -v force-sync --from=ldap01
If you run this manually, outside of Nagios, expect this result:#!/bin/bash # nagios plugin to check replica of IPA server # Replica status numbers # https://directory.fedoraproject.org/docs/389ds/FAQ/replication-update-status.html # array example: # arr=(Hello World) # echo ${arr[0]} # print first item (Hello) # echo ${arr[*]} # All of the items in the array (Hello World) # echo ${!arr[*]} # All of the indexes in the array (0 1) # echo ${#arr[*]} # Number of items in the array (2) # echo ${#arr[0]} # Length of item zero (5) # --------------------------------------------- # Nagios plugin return values STATE_OK=0 STATE_WARNING=1 STATE_CRITICAL=2 STATE_UNKNOWN=3 STATE_DEPENDENT=4 # end script with output endscript () { echo "${RESULT}" exit ${EXIT_STATUS} } # check if server is IPA systemctl status -l ipa.service > /dev/null exitstatus_systemctl=$? ipactl status > /dev/null exitstatus_ipactl=$? if [ ${exitstatus_systemctl} -ne 0 -a ${exitstatus_ipactl} -ne 0 ]; then #if [ $? -ne 0 ]; then RESULT="I am not IPA server" ; EXIT_STATUS=3 endscript fi thisserver=`hostname` # IPA Directory manager's password is encrypted # this is how it's decrypted ipa_passwd=`echo "qwerty" | openssl enc -base64 -d` # get servers that participate in replication listservers=`/sbin/ipa-replica-manage -p ${ipa_passwd} \ list -v ${thisserver} | grep -E replica$ | awk -F: '{print $1}'` > /dev/null replicastatus=`/sbin/ipa-replica-manage -p ${ipa_passwd} \ list -v ${thisserver} | grep "last update status" | awk -F\( '{print $2}' | awk -F\) '{print $1}'` > /dev/null listserversarray=(${listservers}) server_index=${!listserversarray[*]} #; echo ${server_index} replicastatusarray=(${replicastatus}) replica_status_index=${!replicastatusarray[*]} #; echo ${replica_status_index} # #echo Server are: ${listserversarray[*]} # All of the items in the array #echo Replica status are: ${replicastatusarray[*]} # All of the items in the array # initial replica status is okay total_status=OKAY # for each server, check its status, if some is not zero, then total is not okay # https://directory.fedoraproject.org/docs/389ds/FAQ/replication-update-status.html#general-send_updates-result # 16,17,18 are okay exit status ok_error="[0|16|17|18]" for i in ${server_index} do # regex match to [0|16|17|18] if [[ ! ${replicastatusarray[${i}]} =~ ${ok_error} ]]; then total_status=NOT_OKAY fi done # # now assign values to RESULT and EXIT_STATUS if [ ${total_status} = OKAY ]; then RESULT=`echo -n "Replica status: " for i in ${server_index} do echo -n " ${listserversarray[${i}]} (${replicastatusarray[${i}]}) " done ` EXIT_STATUS=${STATE_OK} else RESULT=`echo -n "Replica status: " for i in ${server_index} do echo -n " ${listserversarray[${i}]} (${replicastatusarray[${i}]}) " done ` EXIT_STATUS=${STATE_WARNING} fi endscript
Back to the main page[root@ldap03 ~]# nagioscheck-ipa-replication.sh ipa: INFO: The ipactl command was successful Replica status: ldap01.domain.ca (0) ldap04.domain.ca (16)