[Freeipa-users] Test connectivity before joining domain
Simo Sorce
simo at redhat.com
Mon Oct 27 13:45:11 UTC 2014
On Mon, 27 Oct 2014 12:13:46 -0000
"Innes, Duncan" <Duncan.Innes at virginmoney.com> wrote:
> Hi,
>
> Have been using `ping` to test connectivity from our clients to the
> various IPA servers around the WAN before running an ldapsearch to
> pull some details about the client from the LDAP database.
>
> Several new VLAN's have now come online that do not permit ping
> traffic to be transmitted outside the VLAN, so clients on these LAN's
> think they can't see any of my IPA servers and then fail the domain
> join during the kickstart phase.
>
> Wondering if there's a consensus on how to check connectivity to IPA
> servers on the network? Something that I can use during the kickstart
> post-install phase.
>
> Current effort is:
>
> wget --timeout=1 --tries=1 --no-check-certificate
> https://ipaserver1.example.com
>
> and then test $? for result. But this only tests ports 80/443 - which
> authentication clients wont necessarily have access on. Can I
> reliably test the other FreeIPA ports? 389, 636, 88, 464? These are
> the ports that clients have to be allowed access to the IPA servers.
Duncan,
if you know python you can look into the ipa-replica-install tool, as
it does a full check of accessibility. You do not need all those tests
(as you do not need connection back from the server for example). But
you can take inspiration there to see how we test each service.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list