search

peterpakos / checkipaconsistency

Tool to check consistency across FreeIPA servers
https://pypi.python.org/pypi/checkipaconsistency
GNU General Public License v3.0
84 stars 29 forks source link

hidden replica not reported as ghost #79

Open grantjanssen opened 1 year ago

grantjanssen commented 1 year ago

Expected behaviour

ipa_check_consistency shows the radius01 hidden replica in Replication Status, but nowhere else (does not appear as a Ghost Replica) a hidden replica by its nature does not have an SRV record. I went ahead and added SRV LDAP records, then it listed as a server, but Ghost Replica still comes up empty.

Actual behaviour

grant@radius01:~[20221118-7:11][#110]$ ipa_check_consistency -version 
ipa_check_consistency version 17.2.21a
grant@radius01:~[20221118-7:12][#111]$ ipa_check_consistency -d PRODUCTION.EFILM.COM -W ************
FreeIPA servers:    ef-idm01    ef-idm02    ef-idm03    ef-idm04    radius01    STATE
=====================================================================================
Active Users        349         349         349         349         349         OK   
Stage Users         7           7           7           7           7           OK   
Preserved Users     5           5           5           5           5           OK   
User Groups         42          42          42          42          42          OK   
Hosts               423         423         423         423         423         OK   
Host Groups         23          23          23          23          23          OK   
HBAC Rules          9           9           9           9           9           OK   
SUDO Rules          35          35          35          35          35          OK   
DNS Zones           ERROR       ERROR       ERROR       ERROR       ERROR       OK   
LDAP Conflicts      NO          NO          NO          NO          NO          OK   
Ghost Replicas      NO          NO          NO          NO          NO          OK   
Anonymous BIND      YES         YES         YES         YES         YES         OK   
Replication Status  ef-idm02 0  ef-idm03 0  ef-idm02 0  ef-idm01 0  ef-idm01 0       
                    ef-idm03 0  ef-idm01 0  ef-idm01 0                               
                    ef-idm04 0                                                       
                    radius01 0                                                       
=====================================================================================
grant@radius01:~[20221118-7:14][#112]$

Version of the project

17.2.21a

Version of the FreeIPA

ipa-server-4.9.10-6.module_el8

Version of the Operating System

AlmaLinux release 8.7

grantjanssen commented 1 year ago

I went ahead and fetched the new python implementation, but it still does not show any Ghost Replicas

grant@radius01:~/checkipaconsistency[20221118-9:50][#131]$ more checkipaconsistency/__version__.py 
__version__ = "2.7.11"
grant@radius01:~/checkipaconsistency[20221118-9:50][#132]$ ./cipa
+--------------------+------------+------------+------------+------------+------------+-------+
| FreeIPA servers:   | ef-idm01   | ef-idm02   | ef-idm03   | ef-idm04   | radius01   | STATE |
+--------------------+------------+------------+------------+------------+------------+-------+
| Active Users       | 349        | 349        | 349        | 349        | 349        | OK    |
| Stage Users        | 7          | 7          | 7          | 7          | 7          | OK    |
| Preserved Users    | 5          | 5          | 5          | 5          | 5          | OK    |
| Hosts              | 420        | 420        | 420        | 420        | 420        | OK    |
| Services           | 17         | 17         | 17         | 17         | 17         | OK    |
| User Groups        | 42         | 42         | 42         | 42         | 42         | OK    |
| Host Groups        | 23         | 23         | 23         | 23         | 23         | OK    |
| Netgroups          | 24         | 24         | 24         | 24         | 24         | OK    |
| HBAC Rules         | 9          | 9          | 9          | 9          | 9          | OK    |
| SUDO Rules         | 35         | 35         | 35         | 35         | 35         | OK    |
| DNS Zones          | 0          | 0          | 0          | 0          | 0          | OK    |
| Certificates       | 287        | 287        | 287        | 287        | 287        | OK    |
| LDAP Conflicts     | 0          | 0          | 2          | 0          | 0          | FAIL  |
| Ghost Replicas     | 0          | 0          | 0          | 0          | 0          | OK    |
| Anonymous BIND     | ON         | ON         | ON         | ON         | ON         | OK    |
| Microsoft ADTrust  | False      | False      | False      | False      | False      | OK    |
| Replication Status | ef-idm02 0 | ef-idm03 0 | ef-idm02 0 | ef-idm01 0 | ef-idm01 0 | OK    |
|                    | ef-idm03 0 | ef-idm01 0 | ef-idm01 0 |            |            |       |
|                    | ef-idm04 0 |            |            |            |            |       |
|                    | radius01 0 |            |            |            |            |       |
+--------------------+------------+------------+------------+------------+------------+-------+
grant@radius01:~/checkipaconsistency[20221118-9:51][#133]$

But I now see "LDAP Conflicts" that are not shown in the v17.2.21a ipa_check_consistency execution.