2021-03-23 17:47:10 +01:00
|
|
|
#!/usr/bin/env python3
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Script to check LDAP syncrepl replication state between two servers.
|
|
|
|
|
# One server is consider as provider and the other as consumer.
|
|
|
|
|
#
|
|
|
|
|
# This script can check replication state with two method :
|
|
|
|
|
# - by the fisrt, entryCSN of all entries of LDAP directory will be
|
|
|
|
|
# compare between two servers
|
|
|
|
|
# - by the second, all values of all atributes of all entries will
|
|
|
|
|
# be compare between two servers.
|
2013-12-18 18:54:51 +01:00
|
|
|
#
|
2012-12-14 00:18:07 +01:00
|
|
|
# In all case, contextCSN of servers will be compare and entries not
|
2013-12-18 18:54:51 +01:00
|
|
|
# present in consumer or in provider will be notice. You can decide to
|
|
|
|
|
# disable contextCSN verification by using argument --no-check-contextCSN.
|
|
|
|
|
#
|
|
|
|
|
# This script is also able to "touch" LDAP object on provider to force
|
|
|
|
|
# synchronisation of this object. This mechanism consist to add '%%TOUCH%%'
|
|
|
|
|
# value to an attribute of this object and remove it just after. The
|
|
|
|
|
# touched attribute is specify by parameter --touch. Of course, couple of
|
|
|
|
|
# DN and password provided, must have write right on this attribute.
|
2012-12-14 00:18:07 +01:00
|
|
|
#
|
2013-12-19 18:42:57 +01:00
|
|
|
# If your prefer, you can use --replace-touch parameter to replace value
|
|
|
|
|
# of touched attribute instead of adding the touched value. Use-ful in
|
|
|
|
|
# case of single-value attribute.
|
|
|
|
|
#
|
2012-12-14 00:18:07 +01:00
|
|
|
# This script could be use as Nagios plugin (-n argument)
|
|
|
|
|
#
|
2020-12-18 11:24:09 +01:00
|
|
|
# Requirement:
|
|
|
|
|
# A single couple of DN and password able to connect to both server
|
2012-12-14 00:18:07 +01:00
|
|
|
# and without restriction to retrieve objects from servers.
|
2013-05-15 17:30:15 +02:00
|
|
|
#
|
2020-12-18 11:24:09 +01:00
|
|
|
# Author: Benjamin Renard <brenard@easter-eggs.com>
|
2022-09-26 11:25:07 +02:00
|
|
|
# Source: https://gitea.zionetrix.net/bn8/check_syncrepl_extended
|
2012-12-14 00:18:07 +01:00
|
|
|
#
|
|
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
import argparse
|
2012-12-14 00:18:07 +01:00
|
|
|
import logging
|
|
|
|
|
import sys
|
2020-12-18 11:24:09 +01:00
|
|
|
|
2016-06-28 23:54:44 +02:00
|
|
|
import getpass
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
import ldap
|
|
|
|
|
from ldap import LDAPError # pylint: disable=no-name-in-module
|
|
|
|
|
from ldap.controls import SimplePagedResultsControl
|
2022-05-01 02:39:51 +02:00
|
|
|
from ldap import modlist
|
2020-12-18 11:24:09 +01:00
|
|
|
|
2022-05-01 03:11:54 +02:00
|
|
|
VERSION = '0.0'
|
2022-08-29 09:44:36 +02:00
|
|
|
TOUCH_VALUE = b'%%TOUCH%%'
|
2020-12-18 11:24:09 +01:00
|
|
|
|
|
|
|
|
parser = argparse.ArgumentParser(
|
2022-05-01 02:39:51 +02:00
|
|
|
description=(
|
|
|
|
|
"Script to check LDAP syncrepl replication state between "
|
|
|
|
|
"two servers."),
|
|
|
|
|
epilog=(
|
2022-05-01 03:11:54 +02:00
|
|
|
'Author: Benjamin Renard <brenard@easter-eggs.com>, '
|
|
|
|
|
f'Version: {VERSION}, '
|
2022-09-26 11:25:07 +02:00
|
|
|
'Source: https://gitea.zionetrix.net/bn8/check_syncrepl_extended')
|
2020-12-18 11:24:09 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-p", "--provider",
|
|
|
|
|
dest="provider",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP provider URI (example: ldaps://ldapmaster.foo:636)"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-c", "--consumer",
|
|
|
|
|
dest="consumer",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP consumer URI (example: ldaps://ldapslave.foo:636)"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-i", "--serverID",
|
|
|
|
|
dest="serverid",
|
|
|
|
|
action="store",
|
|
|
|
|
type=int,
|
2022-05-01 02:39:51 +02:00
|
|
|
help=(
|
|
|
|
|
"Compare contextCSN of a specific master. Useful in MultiMaster "
|
|
|
|
|
"setups where each master has a unique ID and a contextCSN for "
|
|
|
|
|
"each replicated master exists. A valid serverID is a integer "
|
|
|
|
|
"value from 0 to 4095 (limited to 3 hex digits, example: '12' "
|
|
|
|
|
"compares the contextCSN matching '#00C#')"),
|
2020-12-18 11:24:09 +01:00
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-T", "--starttls",
|
|
|
|
|
dest="starttls",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Start TLS on LDAP provider/consumers connections",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-D", "--dn",
|
|
|
|
|
dest="dn",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP bind DN (example: uid=nagios,ou=sysaccounts,o=example"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-P", "--pwd",
|
|
|
|
|
dest="pwd",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP bind password",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-b", "--basedn",
|
|
|
|
|
dest="basedn",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP base DN (example: o=example)"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-f", "--filter",
|
|
|
|
|
dest="filterstr",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="LDAP filter (default: (objectClass=*))",
|
|
|
|
|
default='(objectClass=*)'
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-d", "--debug",
|
|
|
|
|
dest="debug",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Debug mode",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-n", "--nagios",
|
|
|
|
|
dest="nagios",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Nagios check plugin mode",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"-q", "--quiet",
|
|
|
|
|
dest="quiet",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Quiet mode",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--no-check-certificate",
|
|
|
|
|
dest="nocheckcert",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Don't check the server certificate (Default: False)",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--no-check-contextCSN",
|
|
|
|
|
dest="nocheckcontextcsn",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Don't check servers contextCSN (Default: False)",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
parser.add_argument(
|
|
|
|
|
"--only-check-contextCSN",
|
|
|
|
|
dest="onlycheckcontextcsn",
|
|
|
|
|
action="store_true",
|
2022-05-01 02:39:51 +02:00
|
|
|
help=(
|
|
|
|
|
"Only check servers root contextCSN (objects check disabled, "
|
|
|
|
|
"default : False)"),
|
2021-02-02 14:11:58 +01:00
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
parser.add_argument(
|
|
|
|
|
"-a", "--attributes",
|
|
|
|
|
dest="attrs",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="Check attributes values (Default: check only entryCSN)",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--exclude-attributes",
|
|
|
|
|
dest="excl_attrs",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
help="Don't check this attribut (only in attribute check mode)",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--touch",
|
|
|
|
|
dest="touch",
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
2022-05-01 02:39:51 +02:00
|
|
|
help=(
|
|
|
|
|
'Touch attribute giving in parameter to force resync a this LDAP '
|
2022-08-29 09:44:36 +02:00
|
|
|
f'object from provider. A value "{TOUCH_VALUE.decode()}" will be '
|
|
|
|
|
'add to this attribute and remove after. The user use to connect '
|
|
|
|
|
'to the LDAP directory must have write permission on this '
|
|
|
|
|
'attribute on each object.'
|
2022-05-01 02:39:51 +02:00
|
|
|
),
|
2020-12-18 11:24:09 +01:00
|
|
|
default=None
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--replace-touch",
|
|
|
|
|
dest="replacetouch",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="In touch mode, replace value instead of adding.",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--remove-touch-value",
|
|
|
|
|
dest="removetouchvalue",
|
|
|
|
|
action="store_true",
|
|
|
|
|
help="In touch mode, remove touch value if present.",
|
|
|
|
|
default=False
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
"--page-size",
|
|
|
|
|
dest="page_size",
|
|
|
|
|
action="store",
|
|
|
|
|
type=int,
|
2022-05-01 02:39:51 +02:00
|
|
|
help=(
|
|
|
|
|
"Page size: if defined, paging control using LDAP v3 extended "
|
|
|
|
|
"control will be enabled."),
|
2020-12-18 11:24:09 +01:00
|
|
|
default=None
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
options = parser.parse_args()
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.nocheckcontextcsn and options.onlycheckcontextcsn:
|
2022-05-01 02:39:51 +02:00
|
|
|
parser.error(
|
|
|
|
|
"You can't use both --no-check-contextCSN and "
|
|
|
|
|
"--only-check-contextCSN parameters and the same time")
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.nagios:
|
|
|
|
|
sys.exit(3)
|
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
2012-12-14 00:18:07 +01:00
|
|
|
if not options.provider or not options.consumer:
|
2021-02-02 11:38:29 +01:00
|
|
|
parser.error("You must provide provider and customer URI")
|
2020-12-18 11:24:09 +01:00
|
|
|
if options.nagios:
|
|
|
|
|
sys.exit(3)
|
|
|
|
|
sys.exit(1)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
if not options.basedn:
|
2021-02-02 11:38:29 +01:00
|
|
|
parser.error("You must provide base DN of connection to LDAP servers")
|
2020-12-18 11:24:09 +01:00
|
|
|
if options.nagios:
|
|
|
|
|
sys.exit(3)
|
|
|
|
|
sys.exit(1)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2022-05-01 02:39:51 +02:00
|
|
|
|
2017-09-12 13:01:52 +02:00
|
|
|
if not 0 <= options.serverid <= 4095:
|
2022-05-01 02:39:51 +02:00
|
|
|
parser.error(
|
|
|
|
|
"ServerID should be a integer value from 0 to 4095 "
|
|
|
|
|
"(limited to 3 hexadecimal digits).")
|
2020-12-18 11:24:09 +01:00
|
|
|
if options.nagios:
|
|
|
|
|
sys.exit(3)
|
|
|
|
|
sys.exit(1)
|
2017-09-12 13:01:52 +02:00
|
|
|
|
2013-05-15 17:32:27 +02:00
|
|
|
if options.touch and not options.attrs:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.info('Force option attrs on touch mode')
|
|
|
|
|
options.attrs = True
|
2013-05-15 17:32:27 +02:00
|
|
|
|
2018-12-06 18:39:18 +01:00
|
|
|
if options.dn and options.pwd is None:
|
2020-12-18 11:24:09 +01:00
|
|
|
options.pwd = getpass.getpass()
|
2016-06-28 23:54:44 +02:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
excl_attrs = []
|
2013-05-15 17:31:41 +02:00
|
|
|
if options.excl_attrs:
|
2020-12-18 11:24:09 +01:00
|
|
|
for ex in options.excl_attrs.split(','):
|
|
|
|
|
excl_attrs.append(ex.strip())
|
2013-05-15 17:31:41 +02:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
FORMAT = "%(asctime)s - %(levelname)s: %(message)s"
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
if options.debug:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.basicConfig(level=logging.DEBUG, format=FORMAT)
|
|
|
|
|
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0) # pylint: disable=no-member
|
2012-12-14 00:18:07 +01:00
|
|
|
elif options.nagios:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.basicConfig(level=logging.ERROR, format=FORMAT)
|
2012-12-14 00:18:07 +01:00
|
|
|
elif options.quiet:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.basicConfig(level=logging.WARNING, format=FORMAT)
|
2012-12-14 00:18:07 +01:00
|
|
|
else:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.basicConfig(level=logging.INFO, format=FORMAT)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2022-05-01 02:39:51 +02:00
|
|
|
|
|
|
|
|
class LdapServer:
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
uri = ""
|
|
|
|
|
dn = ""
|
|
|
|
|
pwd = ""
|
|
|
|
|
start_tls = False
|
|
|
|
|
|
|
|
|
|
con = 0
|
|
|
|
|
|
|
|
|
|
def __init__(self, uri, dn, pwd, start_tls=False, page_size=None):
|
|
|
|
|
self.uri = uri
|
|
|
|
|
self.dn = dn
|
|
|
|
|
self.pwd = pwd
|
|
|
|
|
self.start_tls = start_tls
|
|
|
|
|
self.page_size = page_size
|
|
|
|
|
|
|
|
|
|
def connect(self):
|
|
|
|
|
if self.con == 0:
|
|
|
|
|
try:
|
|
|
|
|
con = ldap.initialize(self.uri)
|
2022-05-01 02:39:51 +02:00
|
|
|
# pylint: disable=no-member
|
|
|
|
|
con.protocol_version = ldap.VERSION3
|
2020-12-18 11:24:09 +01:00
|
|
|
if self.start_tls:
|
|
|
|
|
con.start_tls_s()
|
|
|
|
|
if self.dn:
|
|
|
|
|
con.simple_bind_s(self.dn, self.pwd)
|
|
|
|
|
self.con = con
|
|
|
|
|
except LDAPError:
|
|
|
|
|
logging.error("LDAP Error", exc_info=True)
|
|
|
|
|
return False
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
def getContextCSN(self, basedn=False, serverid=False):
|
|
|
|
|
if not basedn:
|
|
|
|
|
basedn = self.dn
|
2022-05-01 02:39:51 +02:00
|
|
|
data = self.search(
|
|
|
|
|
basedn, '(objectclass=*)', attrs=['contextCSN'], scope='base')
|
2020-12-18 11:24:09 +01:00
|
|
|
if data:
|
|
|
|
|
contextCSNs = data[0][0][1]['contextCSN']
|
|
|
|
|
logging.debug('Found contextCSNs %s', contextCSNs)
|
|
|
|
|
if serverid is False:
|
|
|
|
|
return contextCSNs[0]
|
|
|
|
|
csnid = str(format(serverid, 'X')).zfill(3)
|
2022-05-01 02:39:51 +02:00
|
|
|
sub = str.encode(f'#{csnid}#', encoding="ascii", errors="replace")
|
2020-12-18 11:24:09 +01:00
|
|
|
CSN = [s for s in contextCSNs if sub in s]
|
|
|
|
|
if not CSN:
|
|
|
|
|
logging.error(
|
2022-05-01 02:39:51 +02:00
|
|
|
"No contextCSN matching with ServerID %s (=%s) could be "
|
|
|
|
|
"found.",
|
2020-12-18 11:24:09 +01:00
|
|
|
serverid, sub
|
|
|
|
|
)
|
|
|
|
|
return False
|
|
|
|
|
return CSN[0]
|
|
|
|
|
return False
|
|
|
|
|
|
2021-02-02 11:16:51 +01:00
|
|
|
@staticmethod
|
|
|
|
|
def get_scope(scope):
|
|
|
|
|
if scope == 'base':
|
|
|
|
|
return ldap.SCOPE_BASE # pylint: disable=no-member
|
2021-03-23 17:40:04 +01:00
|
|
|
if scope == 'one':
|
2021-02-02 11:16:51 +01:00
|
|
|
return ldap.SCOPE_ONELEVEL # pylint: disable=no-member
|
2021-03-23 17:40:04 +01:00
|
|
|
if scope == 'sub':
|
2021-02-02 11:16:51 +01:00
|
|
|
return ldap.SCOPE_SUBTREE # pylint: disable=no-member
|
2022-05-01 02:39:51 +02:00
|
|
|
raise Exception(f'Unknown LDAP scope "{scope}"')
|
2021-02-02 11:16:51 +01:00
|
|
|
|
|
|
|
|
def search(self, basedn, filterstr, attrs=None, scope=None):
|
2020-12-18 11:24:09 +01:00
|
|
|
if self.page_size:
|
2022-05-01 02:39:51 +02:00
|
|
|
return self.paged_search(
|
|
|
|
|
basedn, filterstr, attrs=attrs, scope=scope)
|
2021-02-02 11:16:51 +01:00
|
|
|
res_id = self.con.search(
|
|
|
|
|
basedn, self.get_scope(scope if scope else 'sub'),
|
|
|
|
|
filterstr, attrs if attrs else []
|
|
|
|
|
)
|
2020-12-18 11:24:09 +01:00
|
|
|
ret = []
|
|
|
|
|
while 1:
|
|
|
|
|
res_type, res_data = self.con.result(res_id, 0)
|
|
|
|
|
if res_data == []:
|
|
|
|
|
break
|
2021-03-23 17:40:04 +01:00
|
|
|
if res_type == ldap.RES_SEARCH_ENTRY: # pylint: disable=no-member
|
|
|
|
|
ret.append(res_data)
|
2020-12-18 11:24:09 +01:00
|
|
|
return ret
|
|
|
|
|
|
2021-02-02 11:16:51 +01:00
|
|
|
def paged_search(self, basedn, filterstr, attrs=None, scope=None):
|
2020-12-18 11:24:09 +01:00
|
|
|
ret = []
|
|
|
|
|
page = 0
|
|
|
|
|
pg_ctrl = SimplePagedResultsControl(True, self.page_size, '')
|
|
|
|
|
while page == 0 or pg_ctrl.cookie:
|
|
|
|
|
page += 1
|
|
|
|
|
logging.debug('Page search: loading page %d', page)
|
|
|
|
|
res_id = self.con.search_ext(
|
2021-02-02 11:16:51 +01:00
|
|
|
basedn, self.get_scope(scope if scope else 'sub'),
|
|
|
|
|
filterstr, attrs if attrs else [], serverctrls=[pg_ctrl]
|
2020-12-18 11:24:09 +01:00
|
|
|
)
|
2022-05-01 02:39:51 +02:00
|
|
|
# pylint: disable=unused-variable
|
|
|
|
|
res_type, res_data, res_id, serverctrls = self.con.result3(res_id)
|
2020-12-18 11:24:09 +01:00
|
|
|
for serverctrl in serverctrls:
|
|
|
|
|
if serverctrl.controlType == SimplePagedResultsControl.controlType:
|
|
|
|
|
pg_ctrl.cookie = serverctrl.cookie
|
|
|
|
|
break
|
|
|
|
|
for item in res_data:
|
|
|
|
|
ret.append([item])
|
|
|
|
|
return ret
|
|
|
|
|
|
|
|
|
|
def update_object(self, dn, old, new):
|
|
|
|
|
ldif = modlist.modifyModlist(old, new)
|
2022-05-01 02:39:51 +02:00
|
|
|
if not ldif:
|
2020-12-18 11:24:09 +01:00
|
|
|
return True
|
|
|
|
|
try:
|
|
|
|
|
logging.debug('Update object %s: %s', dn, ldif)
|
|
|
|
|
self.con.modify_s(dn, ldif)
|
|
|
|
|
return True
|
|
|
|
|
except LDAPError:
|
|
|
|
|
logging.error('Error updating object %s', dn, exc_info=True)
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
|
def get_attr(obj, attr):
|
|
|
|
|
if attr in obj[0][1]:
|
|
|
|
|
return obj[0][1][attr]
|
|
|
|
|
return []
|
|
|
|
|
|
|
|
|
|
def touch_object(self, dn, attr, orig_value):
|
|
|
|
|
old = {}
|
|
|
|
|
if orig_value:
|
|
|
|
|
old[attr] = orig_value
|
|
|
|
|
new = {}
|
|
|
|
|
|
|
|
|
|
if options.replacetouch:
|
|
|
|
|
if not orig_value or TOUCH_VALUE not in orig_value:
|
|
|
|
|
new[attr] = [TOUCH_VALUE]
|
|
|
|
|
else:
|
|
|
|
|
new[attr] = list(orig_value)
|
|
|
|
|
if orig_value or TOUCH_VALUE in orig_value:
|
|
|
|
|
new[attr].remove(TOUCH_VALUE)
|
|
|
|
|
else:
|
|
|
|
|
new[attr].append(TOUCH_VALUE)
|
|
|
|
|
try:
|
|
|
|
|
logging.info(
|
|
|
|
|
'Touch object "%s" on attribute "%s": %s => %s',
|
|
|
|
|
dn, attr, old, new
|
|
|
|
|
)
|
|
|
|
|
if self.update_object(dn, old, new):
|
2022-05-01 02:39:51 +02:00
|
|
|
logging.info(
|
|
|
|
|
'Restore original value of attribute "%s" of object "%s"',
|
|
|
|
|
attr, dn)
|
2020-12-18 11:24:09 +01:00
|
|
|
if options.removetouchvalue and TOUCH_VALUE in old[attr]:
|
|
|
|
|
old[attr].remove(TOUCH_VALUE)
|
2021-03-23 17:40:04 +01:00
|
|
|
self.update_object(dn=dn, old=new, new=old)
|
2020-12-18 11:24:09 +01:00
|
|
|
return True
|
|
|
|
|
except LDAPError:
|
|
|
|
|
logging.error('Error touching object "%s"', dn, exc_info=True)
|
|
|
|
|
return False
|
2013-05-15 17:32:27 +02:00
|
|
|
|
2022-05-01 02:39:51 +02:00
|
|
|
|
2012-12-14 00:18:07 +01:00
|
|
|
if options.nocheckcert:
|
2022-05-01 02:39:51 +02:00
|
|
|
# pylint: disable=no-member
|
|
|
|
|
ldap.set_option(
|
|
|
|
|
ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
servers = [options.provider, options.consumer]
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
LdapServers = {}
|
|
|
|
|
LdapObjects = {}
|
|
|
|
|
LdapServersCSN = {}
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
for srv in servers:
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.info('Connect to %s', srv)
|
2021-03-19 22:03:33 +01:00
|
|
|
LdapServers[srv] = LdapServer(srv, options.dn, options.pwd,
|
|
|
|
|
options.starttls,
|
|
|
|
|
page_size=options.page_size)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
if not LdapServers[srv].connect():
|
|
|
|
|
if options.nagios:
|
2022-05-01 02:39:51 +02:00
|
|
|
print(f'UNKWNON - Failed to connect to {srv}')
|
2020-12-18 11:24:09 +01:00
|
|
|
sys.exit(3)
|
|
|
|
|
else:
|
|
|
|
|
sys.exit(1)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2020-12-18 11:24:09 +01:00
|
|
|
if not options.nocheckcontextcsn:
|
2022-05-01 02:39:51 +02:00
|
|
|
LdapServersCSN[srv] = LdapServers[srv].getContextCSN(
|
|
|
|
|
options.basedn, options.serverid)
|
2020-12-18 11:24:09 +01:00
|
|
|
logging.info('ContextCSN of %s: %s', srv, LdapServersCSN[srv])
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if not options.onlycheckcontextcsn:
|
|
|
|
|
logging.info('List objects from %s', srv)
|
|
|
|
|
LdapObjects[srv] = {}
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.attrs:
|
2022-05-01 02:39:51 +02:00
|
|
|
for obj in LdapServers[srv].search(
|
|
|
|
|
options.basedn, options.filterstr, []
|
|
|
|
|
):
|
2021-02-02 14:11:58 +01:00
|
|
|
logging.debug('Found on %s: %s', srv, obj[0][0])
|
|
|
|
|
LdapObjects[srv][obj[0][0]] = obj[0][1]
|
|
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
for obj in LdapServers[srv].search(
|
|
|
|
|
options.basedn, options.filterstr, ['entryCSN']
|
|
|
|
|
):
|
2021-02-02 14:11:58 +01:00
|
|
|
logging.debug(
|
|
|
|
|
'Found on %s: %s / %s',
|
|
|
|
|
srv, obj[0][0], obj[0][1]['entryCSN'][0]
|
|
|
|
|
)
|
|
|
|
|
LdapObjects[srv][obj[0][0]] = obj[0][1]['entryCSN'][0]
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
logging.info('%s objects founds', len(LdapObjects[srv]))
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if not options.onlycheckcontextcsn:
|
|
|
|
|
not_found = {}
|
|
|
|
|
not_sync = {}
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
for srv in servers:
|
|
|
|
|
not_found[srv] = []
|
|
|
|
|
not_sync[srv] = []
|
2012-12-14 00:18:07 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.attrs:
|
2022-05-01 02:39:51 +02:00
|
|
|
logging.info(
|
|
|
|
|
"Check if objects a are synchronized (by comparing attributes's "
|
|
|
|
|
"values)")
|
2021-02-02 14:11:58 +01:00
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
logging.info(
|
|
|
|
|
'Check if objets are synchronized (by comparing entryCSN)')
|
2021-02-02 14:11:58 +01:00
|
|
|
for obj in LdapObjects[options.provider]:
|
|
|
|
|
logging.debug('Check obj %s', obj)
|
2022-05-01 02:39:51 +02:00
|
|
|
for srv_name, srv in LdapObjects.items():
|
|
|
|
|
if srv_name == options.provider:
|
2021-02-02 14:11:58 +01:00
|
|
|
continue
|
2022-05-01 02:39:51 +02:00
|
|
|
if obj in srv:
|
2021-02-02 14:11:58 +01:00
|
|
|
touch = False
|
2022-05-01 02:39:51 +02:00
|
|
|
if LdapObjects[options.provider][obj] != srv[obj]:
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.attrs:
|
|
|
|
|
attrs_list = []
|
|
|
|
|
for attr in LdapObjects[options.provider][obj]:
|
|
|
|
|
if attr in excl_attrs:
|
|
|
|
|
continue
|
2022-05-01 02:39:51 +02:00
|
|
|
if attr not in srv[obj]:
|
2020-12-18 11:24:09 +01:00
|
|
|
attrs_list.append(attr)
|
|
|
|
|
logging.debug(
|
2021-02-02 14:11:58 +01:00
|
|
|
"Obj %s not synchronized: %s not present on %s",
|
2022-05-01 02:39:51 +02:00
|
|
|
obj, ','.join(attrs_list), srv_name
|
2020-12-18 11:24:09 +01:00
|
|
|
)
|
|
|
|
|
touch = True
|
2021-02-02 14:11:58 +01:00
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
srv[obj][attr].sort()
|
2021-02-02 14:11:58 +01:00
|
|
|
LdapObjects[options.provider][obj][attr].sort()
|
2022-05-01 02:39:51 +02:00
|
|
|
if srv[obj][attr] != LdapObjects[options.provider][obj][attr]:
|
2021-02-02 14:11:58 +01:00
|
|
|
attrs_list.append(attr)
|
|
|
|
|
logging.debug(
|
|
|
|
|
"Obj %s not synchronized: %s not same value(s)",
|
|
|
|
|
obj, ','.join(attrs_list)
|
|
|
|
|
)
|
|
|
|
|
touch = True
|
|
|
|
|
if attrs_list:
|
2022-05-01 02:39:51 +02:00
|
|
|
not_sync[srv_name].append(f'{obj} ({",".join(attrs_list)})')
|
2021-02-02 14:11:58 +01:00
|
|
|
else:
|
|
|
|
|
logging.debug(
|
|
|
|
|
"Obj %s not synchronized: %s <-> %s",
|
2022-05-01 02:39:51 +02:00
|
|
|
obj, LdapObjects[options.provider][obj], srv[obj]
|
2021-02-02 14:11:58 +01:00
|
|
|
)
|
2022-05-01 02:39:51 +02:00
|
|
|
not_sync[srv_name].append(obj)
|
2021-02-02 14:11:58 +01:00
|
|
|
if touch and options.touch:
|
|
|
|
|
orig_value = []
|
|
|
|
|
if options.touch in LdapObjects[options.provider][obj]:
|
|
|
|
|
orig_value = LdapObjects[options.provider][obj][options.touch]
|
2022-05-01 02:39:51 +02:00
|
|
|
LdapServers[options.provider].touch_object(
|
|
|
|
|
obj, options.touch, orig_value)
|
2021-02-02 14:11:58 +01:00
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
logging.debug('Obj %s: not found on %s', obj, srv_name)
|
|
|
|
|
not_found[srv_name].append(obj)
|
2021-02-02 14:11:58 +01:00
|
|
|
if options.touch:
|
|
|
|
|
orig_value = []
|
|
|
|
|
if options.touch in LdapObjects[options.provider][obj]:
|
|
|
|
|
orig_value = LdapObjects[options.provider][obj][options.touch]
|
2022-05-01 02:39:51 +02:00
|
|
|
LdapServers[options.provider].touch_object(
|
|
|
|
|
obj, options.touch, orig_value)
|
2021-02-02 14:11:58 +01:00
|
|
|
|
|
|
|
|
for obj in LdapObjects[options.consumer]:
|
|
|
|
|
logging.debug('Check obj %s of consumer', obj)
|
|
|
|
|
if obj not in LdapObjects[options.provider]:
|
|
|
|
|
logging.debug('Obj %s: not found on provider', obj)
|
|
|
|
|
not_found[options.provider].append(obj)
|
2012-12-14 00:18:07 +01:00
|
|
|
|
|
|
|
|
if options.nagios:
|
2020-12-18 11:24:09 +01:00
|
|
|
errors = []
|
|
|
|
|
long_output = []
|
|
|
|
|
|
|
|
|
|
if not options.nocheckcontextcsn:
|
|
|
|
|
if not LdapServersCSN[options.provider]:
|
|
|
|
|
errors.append('ContextCSN of LDAP server provider could not be found')
|
|
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
long_output.append(
|
|
|
|
|
f'ContextCSN on LDAP server provider = {LdapServersCSN[options.provider]}')
|
|
|
|
|
for srv_name, srv_csn in LdapServersCSN.items():
|
|
|
|
|
if srv_name == options.provider:
|
2020-12-18 11:24:09 +01:00
|
|
|
continue
|
2022-05-01 02:39:51 +02:00
|
|
|
if not srv_csn:
|
|
|
|
|
errors.append(f'ContextCSN of {srv_name} not found')
|
|
|
|
|
elif srv_csn != LdapServersCSN[options.provider]:
|
|
|
|
|
errors.append(
|
|
|
|
|
f'ContextCSN of {srv_name} not the same of provider')
|
|
|
|
|
long_output.append(
|
|
|
|
|
f'ContextCSN on LDAP server {srv_name} = {srv_csn}')
|
2020-12-18 11:24:09 +01:00
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if not options.onlycheckcontextcsn:
|
|
|
|
|
if not_found[options.consumer]:
|
2022-05-01 02:39:51 +02:00
|
|
|
errors.append(
|
|
|
|
|
f'{len(not_found[options.consumer])} not found object(s) on '
|
|
|
|
|
'consumer')
|
|
|
|
|
long_output.append(
|
|
|
|
|
f'Object(s) not found on server {options.consumer} '
|
|
|
|
|
'(consumer):')
|
2021-02-02 14:11:58 +01:00
|
|
|
for obj in not_found[options.consumer]:
|
2022-05-01 02:39:51 +02:00
|
|
|
long_output.append(f' - {obj}')
|
2021-02-02 14:11:58 +01:00
|
|
|
if not_found[options.provider]:
|
2022-05-01 02:39:51 +02:00
|
|
|
errors.append(
|
|
|
|
|
f'{len(not_found[options.provider])} not found object(s) on '
|
|
|
|
|
'provider')
|
|
|
|
|
long_output.append(
|
|
|
|
|
f'Object(s) not found on server {options.provider} '
|
|
|
|
|
'(provider):')
|
2021-02-02 14:11:58 +01:00
|
|
|
for obj in not_found[options.provider]:
|
2022-05-01 02:39:51 +02:00
|
|
|
long_output.append(f' - {obj}')
|
2021-02-02 14:11:58 +01:00
|
|
|
if not_sync[options.consumer]:
|
2022-05-01 02:39:51 +02:00
|
|
|
errors.append(
|
|
|
|
|
f'{len(not_sync[options.consumer])} not synchronized object(s) '
|
|
|
|
|
'on consumer')
|
|
|
|
|
long_output.append(
|
|
|
|
|
f'Object(s) not synchronized on server {options.consumer} '
|
|
|
|
|
'(consumer):')
|
2021-02-02 14:11:58 +01:00
|
|
|
for obj in not_sync[options.consumer]:
|
2022-05-01 02:39:51 +02:00
|
|
|
long_output.append(f' - {obj}')
|
2020-12-18 11:24:09 +01:00
|
|
|
if errors:
|
2022-05-01 02:39:51 +02:00
|
|
|
print(f'CRITICAL: {", ".join(errors)}')
|
|
|
|
|
print('\n\n')
|
|
|
|
|
print("\n".join(long_output))
|
2020-12-18 11:24:09 +01:00
|
|
|
sys.exit(2)
|
|
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
print('OK: consumer and provider are synchronized')
|
2020-12-18 11:24:09 +01:00
|
|
|
sys.exit(0)
|
2012-12-14 00:18:07 +01:00
|
|
|
else:
|
2020-12-18 11:24:09 +01:00
|
|
|
noerror = True
|
|
|
|
|
for srv in servers:
|
|
|
|
|
if not options.nocheckcontextcsn:
|
|
|
|
|
if not LdapServersCSN[options.provider]:
|
2022-05-01 02:39:51 +02:00
|
|
|
logging.warning(
|
|
|
|
|
'ContextCSN of LDAP server provider could not be found')
|
2020-12-18 11:24:09 +01:00
|
|
|
noerror = False
|
|
|
|
|
else:
|
2022-05-01 02:39:51 +02:00
|
|
|
for srv_name, srv_csn in LdapServersCSN.items():
|
|
|
|
|
if srv_name == options.provider:
|
2020-12-18 11:24:09 +01:00
|
|
|
continue
|
2022-05-01 02:39:51 +02:00
|
|
|
if not srv_csn:
|
|
|
|
|
logging.warning('ContextCSN of %s not found', srv_name)
|
2020-12-18 11:24:09 +01:00
|
|
|
noerror = False
|
2022-05-01 02:39:51 +02:00
|
|
|
elif srv_csn != LdapServersCSN[options.provider]:
|
|
|
|
|
logging.warning(
|
|
|
|
|
'ContextCSN of %s not the same of provider',
|
|
|
|
|
srv_name)
|
2020-12-18 11:24:09 +01:00
|
|
|
noerror = False
|
|
|
|
|
|
2021-02-02 14:11:58 +01:00
|
|
|
if not options.onlycheckcontextcsn:
|
|
|
|
|
if not_found[srv]:
|
|
|
|
|
logging.warning(
|
|
|
|
|
'Not found objects on %s :\n - %s',
|
|
|
|
|
srv, '\n - '.join(not_found[srv])
|
|
|
|
|
)
|
|
|
|
|
noerror = False
|
|
|
|
|
if not_sync[srv]:
|
|
|
|
|
logging.warning(
|
|
|
|
|
'Not sync objects on %s: %s',
|
|
|
|
|
srv, '\n - '.join(not_sync[srv])
|
|
|
|
|
)
|
|
|
|
|
noerror = False
|
2020-12-18 11:24:09 +01:00
|
|
|
|
|
|
|
|
if noerror:
|
|
|
|
|
logging.info('No sync problem detected')
|
