51 'dn|d=s' => undef, |
51 'dn|d=s' => undef, |
52 'binddn|D=s' => undef, |
52 'binddn|D=s' => undef, |
53 'password=s' => undef, |
53 'password=s' => undef, |
54 'config=s' => '/etc/nagios-plugins/config/ldap_repl.cfg', |
54 'config=s' => '/etc/nagios-plugins/config/ldap_repl.cfg', |
55 'provider|p=s' => 'ldapi:///', |
55 'provider|p=s' => 'ldapi:///', |
56 'consumer|c=s@' => 'ldap://consumer:389', |
56 'consumer|c=s@' => undef, |
57 'wait|w=i' => 1, |
57 'wait|w=i' => 1, |
58 'help|h!' => sub { pod2usage(-verbose => 1, -exitval => $ERRORS{OK}) }, |
58 'help|h!' => sub { pod2usage(-verbose => 1, -exitval => $ERRORS{OK}) }, |
59 'man|m!' => sub { pod2usage(-verbose => 2, -exitval => $ERRORS{OK}) }, |
59 'man|m!' => sub { pod2usage(-verbose => 2, -exitval => $ERRORS{OK}) }, |
60 'version|V!' => sub { version($ME, $VERSION); exit $ERRORS{OK}; } |
60 'version|V!' => sub { version($ME, $VERSION); exit $ERRORS{OK}; } |
61 }; |
61 }; |
113 |
113 |
114 # make sure that command line options override any config file options |
114 # make sure that command line options override any config file options |
115 $c->getopt; |
115 $c->getopt; |
116 |
116 |
117 my %o = $c->varlist('.'); |
117 my %o = $c->varlist('.'); |
|
118 $o{binddn} //= $o{dn}; |
118 my $t = time(); |
119 my $t = time(); |
119 |
120 |
120 my $p = Net::LDAP->new($o{provider}, onerror => 'die') or die $@; |
121 my $p = Net::LDAP->new($o{provider}, onerror => 'die') or die $@; |
121 $p->bind($o{binddn}, password => $o{password}); |
122 $p->bind($o{binddn}, password => $o{password}); |
122 $p->modify($o{dn}, replace => { $o{attribute} => $t }); |
123 $p->modify($o{dn}, replace => { $o{attribute} => $t }); |
169 |
170 |
170 DN of the entry whose attribute will be updated and checked for replication. |
171 DN of the entry whose attribute will be updated and checked for replication. |
171 |
172 |
172 =item B<-b>|B<--binddn> I<string> |
173 =item B<-b>|B<--binddn> I<string> |
173 |
174 |
174 DN to use when binding to provider for update. |
175 DN to use when binding to provider for update. (default: same as dn) |
175 |
176 |
176 =item B<--password> I<string> |
177 =item B<--password> I<string> |
177 |
178 |
178 Password to use when binding to provider for update. B<PASSWORD IS SHOWN IN PROCESSES, USE CONFIG FILE!> |
179 Password to use when binding to provider for update. B<PASSWORD IS SHOWN IN PROCESSES, USE CONFIG FILE!> |
179 |
180 |
181 |
182 |
182 provider uri (default: ldapi:///) |
183 provider uri (default: ldapi:///) |
183 |
184 |
184 =item B<-S>|B<--consumer> I<string> |
185 =item B<-S>|B<--consumer> I<string> |
185 |
186 |
186 consumer uri. Multiple consumers can be specified as a comma separated list (see below). (default: ldap://ldap-consumer:389/) |
187 consumer uri. Multiple consumers can be specified as a comma separated list (see below). |
187 |
188 |
188 =item B<--config> I<string> |
189 =item B<--config> I<string> |
189 |
190 |
190 Path to configuration file. Use this to store the binddn and its password. |
191 Path to configuration file. Use this to store the binddn and its password. |
191 Verify the ownership and B<permissions>, B<(0400)> is a good choice! (default: |
192 Verify the ownership and B<permissions>, B<(0400)> is a good choice! (default: |
192 /etc/nagios-plugins/config/ldap_repl.cfg) |
193 /etc/nagios-plugins/config/ldap_repl.cfg) |
193 |
194 |
194 |
195 |
195 |
|
196 Example: |
196 Example: |
197 |
197 |
198 binddn = cn=admin,dc=local,dc=site |
198 # attribute = description |
|
199 dn = cn=replcheck,dc=local,dc=site |
|
200 # binddn = # same as dn per default |
199 password = secret |
201 password = secret |
200 provider = ldap://provider:389/ |
202 #provider = ldapi:/// |
201 consumer = ldap://consumer-01:389/,ldap://consumer-02:389/,... |
203 consumer = ldap://consumer-01:389/,ldap://consumer-02:389/,... |
202 dn = cn=replcheck |
204 #wait = 1 |
203 wait = 2 |
|
204 |
205 |
205 =item B<-w>|B<--wait> I<integer> |
206 =item B<-w>|B<--wait> I<integer> |
206 |
207 |
207 Wait I<n> seconds before checking the consumer servers. (default: 1) |
208 Wait I<n> seconds before checking the consumer servers. (default: 1) |
208 |
209 |
220 |
221 |
221 =back |
222 =back |
222 |
223 |
223 =head1 DESCRIPTION |
224 =head1 DESCRIPTION |
224 |
225 |
225 This plugin checks if the ldap replication works correctly. |
226 This plugin checks if the ldap replication works correctly by updating an |
|
227 attribute of an entry on the provider and checking whether the update has been |
|
228 replicated to one or more consumers after some configurable time. It is |
|
229 recommended to run it on the provider because the directory needs to be updated |
|
230 there. The object classes for dn and binddn don't matter much, but they should |
|
231 support authentication and the chosen attribute for updates. The attribute |
|
232 should support numeric integer values (it will be updated with the current |
|
233 unix epoch). Example: |
|
234 |
|
235 430 cn=replcheck,ou=Users,dc=wiegandslide,dc=de |
|
236 objectClass: simpleSecurityObject |
|
237 objectClass: applicationProcess |
|
238 cn: replcheck |
|
239 userPassword: {SSHA}Twb/q2n4G6+PmSUfZaK09smj751ts9Rz |
|
240 |
|
241 The attribute does not neccessarily need to exist initially. It should be |
|
242 created upon first update. You may also need to update your acl. |
226 |
243 |
227 =head1 VERSION |
244 =head1 VERSION |
228 |
245 |
229 This man page is current for version 0.4 of B<check_ldap_repl>. |
246 This man page is current for version 0.4 of B<check_ldap_repl>. |
230 |
247 |