Bug 1012410
Summary: | Collect output of `ipa-replica-manage` in ipa module | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Petr Spacek <pspacek> |
Component: | sos | Assignee: | Bryn M. Reeves <bmr> |
Status: | CLOSED ERRATA | QA Contact: | David Kutálek <dkutalek> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.5 | CC: | agk, bmr, chorn, gavin, jbrassow, mkosek, pspacek, rmainz, sos-team |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | sos-2.2-56.el6 | Doc Type: | Bug Fix |
Doc Text: |
No documentation needed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 07:22:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Spacek
2013-09-26 12:25:26 UTC
Thanks for the report. The utility of this information is clear. Is there anything in the tool output that we would want to remove? I.e. secrets or tokens that are not of diagnostic value but that could be considered private information? Would it be possible to paste/attach some sample output to the bug? AFAIK there is nothing 'secret', just host names. Examples: $ ipa-replica-manage -v list vm-192.idm.lab.eng.brq.redhat.com: master vm-127.idm.lab.eng.brq.redhat.com: master $ ipa-replica-manage -v list $(hostname) vm-192.idm.lab.eng.brq.redhat.com: replica last init status: 0 Total update succeeded last init ended: 2013-09-26 11:19:06+00:00 last update status: 0 Replica acquired successfully: Incremental update succeeded last update ended: 2013-09-26 12:50:29+00:00 That's true. I am just thinking that ipa-replica-manage command won't run without Kerberos credentials. So if user does not run "kinit someuser" and enters password, ipa-replica-manage will fail to bind to LDAP server and will not collect the information. Sosreport runs under root, right? Can we hack it to use SLAPI for Bind? Unfortunately not. You can only specify bind DN and password. You would need to prepare ldapsearches doing LDAPI autobind. To search for replication agreements in given replica. Aren't ldapsearches like this one in sos report already? I am not sure now if we added them or not. > Aren't ldapsearches like this one in sos report already? I am not sure now if
> we added them or not.
No.
Happy to make changes to capture this information but we'll need to have something that will "just work" for most configurations (or that can take a simple command line parameter that we can document).
The Debian porters added some ldapsearch stuff upstream to their ldap plug-in but this does not address replication afaik:
ldap_search = "ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// "
self.add_cmd_output("ldapsearch -x -b '' -s base 'objectclass=*'")
self.add_cmd_output(ldap_search + "-b cn=config '(!(objectClass=olcSchemaConfig))'",
suggest_filename="configuration_minus_schemas")
self.add_cmd_output(ldap_search + "-b cn=schema,cn=config dn",
suggest_filename="loaded_schemas")
self.add_cmd_output(ldap_search + "-b cn=config '(olcAccess=*)' olcAccess olcSuffix",
suggest_filename="access_control_lists")
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. commit 27a05970f747a36a5d8564301240de3c7897b86b Author: Bryn M. Reeves <bmr> Date: Sat Jun 21 15:12:52 2014 +0100 [ipa] add ipa-replica-manage output Signed-off-by: Bryn M. Reeves <bmr> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1528.html |