This document is being used to layout the “healthcheck” subcommand of dsctl. Herein lies the requirements coming from downstream (RHEL) in a larger effort to provide a consistent and complete “healthcheck tool report” across all of the IDM products (FreeIPA, DS, and CS).
Gather and analyze a server for potential issues, and describe how to resolve them. There will be a human-readable report, and a JSON report available. Since health checking requires looking at things outside of the server itself, like TLS certificates and system files, the data must be gathered by running dsctl on the same system.
Here is a list of checks the tool does:
Here is an example running the the output you might see
dsctl [--json] INSTANCE_NAME healthcheck
# dsctl slapd-localhost healthcheck
Beginning lint report, this could take a while ...
Checking Backends ...
Checking Config ...
Checking Encryption ...
Checking FSChecks ...
Checking ReferentialIntegrityPlugin ...
Checking MonitorDiskSpace ...
Checking Replica ...
Checking Changelog5 ...
Checking NssSsl ...
Healthcheck complete.
1 Issue found! Generating report ...
[1] DS Lint Error: DSELE0001
--------------------------------------------------------------------------------
Severity: MEDIUM
Affects:
-- cn=encryption,cn=config
Details:
-----------
This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
have a number of issues with the protocol. Please see:
https://tools.ietf.org/html/rfc7457
It is advised you set this value to the maximum possible.
Resolution:
-----------
There are two options for setting the TLS minimum version allowed. You,
can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0"
You can also use 'dsconf' to set this value. Here is an example:
# dsconf slapd-localhost security set --tls-protocol-min=TLS1.2
You must restart the Directory Server for this change to take effect.
Or, you can set the system wide crypto policy to FUTURE which will use a higher TLS
minimum version, but doing this affects the entire system:
# update-crypto-policies --set FUTURE
===== End Of Report (1 Issue found) =====
This is the JSON output format
[
{
"dsle": "RESULT CODE",
"severity": "HIGH/MEDIUM/LOW",
"items": [
ITEM,
ITEM,
],
"detail": "PROBLEM DESCRIPTION",
"fix": "RESOLUTION"
}
]
From the example above it would look like this:
# dsctl --json slapd-localhost healthcheck
[{"dsle": "DSELE0001", "severity": "MEDIUM", "items": ["cn=encryption,cn=config"], "detail": "This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to\nhave a number of issues with the protocol. Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\nIt is advised you set this value to the maximum possible.", "fix": "There are two options for setting the TLS minimum version allowed. You,\ncan set \"sslVersionMin\" in \"cn=encryption,cn=config\" to a version greater than \"TLS1.0\"\nYou can also use 'dsconf' to set this value. Here is an example:\n\n # dsconf slapd-localhost security set --tls-protocol-min=TLS1.2\n\nYou must restart the Directory Server for this change to take effect.\n\nOr, you can set the system wide crypto policy to FUTURE which will use a higher TLS\nminimum version, but doing this affects the entire system:\n\n # update-crypto-policies --set FUTURE"}]
Here is a table of the types of things the tool checks. These list will probably expand in future releases of the server.
Result Code | Component | Severity | Description |
---|---|---|---|
DSBLE0001 | Backend | Medium | Backend missing mapping tree entry. This happens when a step is missed when manually creating a new backend |
DSBLE0002 | Server | High | Unable to query the backend |
DSBLE0003 | Backend | Low | Database not initialized. A backend was created, but the database is completely empty |
DSVIRTLE0001 | Config | High | Virtual attribute is incorrectly indexed. Attributes used by roles or COS should not be indexed and it can corrupt search results |
DSCLE0001 | Config | Low | Logging format should be revised. High resolution timestamps are disabled |
DSCLE0002 | Security | High | Insecure password hash configured. A weak password storage scheme is being used |
DSELE0001 | Security | Medium | Minimum allowed TLS version too low. The min TLS version is set below 1.2 |
DSRILE0001 | Plugins | Low | RI plugin is misconfigured. The update delay is set, and this can cause issues with replication |
DSRILE0002 | Plugins | High | RI plugin missing indexes. There are attributes the RI plugin will query for every delete operation that are not indexed. This will cause hard-to-detect unindexed searches and high CPU |
DSREPLLE0001 | Replication | High | Out of synchronization - replication is broken |
DSREPLLE0002 | Replication | Low | Presence of conflict entries |
DSREPLLE0003 | Replication | Medium | Out of synchronization, but replication is not broken |
DSREPLLE0004 | Replication | Medium | Failed to get status - state unknown |
DSREPLLE0005 | Replication | Medium | Remote replica is not reachable |
DSCLLE0001 | Replication | Medium | Changelog trimming is not configured and this can cause the change log to grow without any limits |
DSSKEWLE0001 | Replication | Low | The replication time skew is over 6 hours, and should continue to be monitored |
DSSKEWLE0002 | Replication | Medium | The replication time skew is over 12 hours, and all the replicas should have their system times checked for accuracy |
DSSKEWLE0003 | Replication | High | The replication time skew is over 24 hours, and all the replicas should have their system times checked for accuracy, but replication sessions will start breaking. |
DSCERTLE0001 | TLS Certificates | Medium | Certificate expiring within 30 days |
DSCERTLE0002 | TLS Certificates | High | Certificate expired |
DSDSLE0001 | OS | High | Low disk space |
DSPERMLE0001 | OS | Medium | Bad file permissions on /etc/resolv.conf |
DSPERMLE0002 | OS/Security | High | Bad file permissions on security db password/pin files. The permissions are too open. |