[Freeipa-users] Advice sought on monitoring freeipa status

[Roderick Johnstone]

Hi

I'm trying to set up some monitoring of our freeipa installation. To 
start with, I'd like to know eg:

1) If replication stopped

2) Whether the ldap datatbases on replicas are inconsistent with each other.

We have RHEL7 freeipa servers and RHEL6 and RHEL7 clients, all with 
latest distribution packages.

I see a number of pages at www.ipa.org about monitoring freeipa in 
various ways, but I'm not sure any were actually implemented yet.

Then I found this: https://github.com/peterpakos/ipa_check_consistency
which looks useful but seems to require a plain text password for a 
privileged ldap account to be embedded in a file, which is less than ideal.

So, I was wondering, as a stop gap, whether its possible to control the 
server that the ipa commands talk to at the command line?

One could then run a cron job to iterate through the servers and compare 
various outputs from ipa commands. However, the ipa man page suggests 
the ipa command will go for either the server explicitly set in 
/etc/ipa/default.conf or if unavailable use those set in the DNS _SRV_ 
records.

Maybe there is a better way to do this that I missed altogether?

Roderick Johnstone