#3631 [RFE] Create a way to report freeipa-client health
Closed: Duplicate None Opened 10 years ago by dpal.

The RFE is based on the thread: https://www.redhat.com/archives/freeipa-users/2013-May/msg00131.html

It seems that may be it should be a sort of dry run/validation mode for the ipa-client-install

For example:

ipa-client-install --health
Detecting...
DNS OK
SSSD OK
Kerberos OK
Certmonger OK

Summary:
SSSD is configured to:
[put info here]
Certmonger is tracking:
[put info here]
Auto FS integration is: On
SSH integration is: Off
[etc.]

May I suggest that you include in this script a few things. Not only debug logins, but also add checks for the other things that I see wrong. If you go thru your mailing lists you will find a very large number of support requests on the subjects of ability to change passwords, sudo configuration, and roaming home folder maintenance.

And I would suggest that you not only check config files, but actually try the events. You can create a health check user in ipa that is normally disabled. To run the health check, the user is enabled and the script actually tries to log in as that user, see if it can change the password for that user, see if it can sudo as that user, etc. then when health check is done, that user is disabled again. A lot of logistics to work out I realize, but I believe it will be time well spent in making a product that is currently a pain to use outside of redhats world much easier on the people tasked with making it work.

I realize these things can vary a bit from one flavor of nix to another, but I believe if you write the script in a way that allows plugins with clear documentation you will find many developers willing to fill in the blank spaces. You could do it so someone can take your interface and implement a health check plugin for Ubuntu 13.04, Ubuntu 12.10, Debian whatever. These different favors could all be plugins to the script allowing the system to do the health check for that specific version of nix as the configs can vary slightly from distribution to distribution. That allows you to put the burden of maintaining the differences on the various flavors to the community, not your team.

Messing with the accounts immediately starts to add significant amount of complexity. To enable an account the the executor of the tests needs to have a privilege to do so. OK we can ask you to run the test as an admin but it is unclear what HBAC and SUDO rules should this health user be associated with. This is just a beginning. Very quickly it would turn into a test suit that one needs to install so someone would need to port it to all the platforms you worry about.
We can start small though, patches are welcome.

Moving open tickets to next month bucket.

FreeIPA 3.3 deadline is in one week, there was no development for this feature. Moving back to NEEDS_TRIAGE to reconsider if this should be moved to other release.

Closing as duplicate to #4008 which is currently triaged for FreeIPA 3.5.

Metadata Update from @dpal:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

Login to comment on this ticket.

Metadata