Chapter 19. Using the Health Check Feature to Identify Problems
The
dsctl healthcheck command analyzes the Directory Server instance for potential issues and recommends solutions to solve them.
The following table displays the checks the health check feature performs:
| Component | Severity | Result Code | Description |
|---|---|---|---|
| Backend | Low | DSBLE0003 | The database was not initialized. A database was created but the database is empty. |
| Backend | Medium | DSBLE0001 | The mapping tree entry for a back end is missing in the configuration. |
| Config | Low | DSCLE0001 | High-resolution time stamps are disabled. |
| Config | High | DSVIRTLE0001 | A virtual attribute is incorrectly indexed. Indexed attributes used by roles or Class of Service (CoS) definitions can corrupt search results. |
| Operating System | Medium | DSPERMLE0001 | The permissions set on the /etc/resolve.conf file are different to 0644. |
| Operating System | High | DSDSLE0001 | Low disk space |
| Operating System | High | DSPERMLE0002 | The permissions set on the /etc/dirsrv/slapd-instance_name/pin.txt and /etc/dirsrv/slapd-instance_name/pwdfile.txt files are different to 0400. |
| Plug-ins | Low | DSRILE0001 | An update delay is set for the Referential Integrity plug-in. This can cause replication issues. |
| Plug-ins | High | DSRILE0002 | The Referential Integrity plug-in misses indexes. The plug-in queries certain attributes for every delete operation if they are not indexed. This can cause hard-to-detect unindexed searches and high CPU usage. |
| Replication | Low | DSREPLLE0002 | Conflict entries exist in the database. |
| Replication | Low | DSSKEWLE0001 | The replication time skew is larger than 6 hours and lower than 12 hours. |
| Replication | Medium | DSCLLE0001 | Changelog trimming is disabled. In this case, the changelog grows without limits. |
| Replication | Medium | DSREPLLE0004 | The health check failed to retrieve the replication status. |
| Replication | Medium | DSREPLLE0003 | The topology is not in sync, but the replication is working. |
| Replication | Medium | DSREPLLE0005 | A remote replica is not reachable. |
| Replication | Medium | DSSKEWLE0002 | The replication time skew is larger than 12 hours and lower than 24 hours. |
| Replication | High | DSREPLLE0001 | The topology is not in sync, and the replication is not working. |
| Replication | High | DSSKEWLE0003 | The replication time skew is larger than 24 hours. Replication sessions could break. |
| Security | Medium | DSELE0001 | The minimum TLS version is set to a value lower than TLS 1.2. |
| Security | High | DSCLE0002 | A weak password storage scheme is configured. |
| Server | High | DSBLE0002 | The health check failed to query the back end. |
| TLS certificates | Medium | DSCERTLE0001 | The server certificate expires within the next 30 days. |
| TLS certificates | High | DSCERTLE0002 | The server certificate has expired. |
19.1. Running the Directory Server Health Check
To run the health check, enter:
# dsctl instance_name healthcheck Beginning lint report, this could take a while ... Checking Backends ... Checking Config ... Checking Encryption ... Checking FSChecks ... Checking ReferentialIntegrityPlugin ... Checking MonitorDiskSpace ... Checking Replica ... Checking Changelog5 ... Checking NssSsl ... Healthcheck complete. 1 Issue found! Generating report ...
Example 19.1. Possible Report of the Health Check
The following shows an example health check report:
[1] DS Lint Error: DSELE0001
--------------------------------------------------------------------------------
Severity: MEDIUM
Affects:
-- cn=encryption,cn=config
Details:
-----------
This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
have a number of issues with the protocol. Please see:
https://tools.ietf.org/html/rfc7457
It is advised you set this value to the maximum possible.
Resolution:
-----------
There are two options for setting the TLS minimum version allowed. You,
can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0"
You can also use 'dsconf' to set this value. Here is an example:
# dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2
You must restart the Directory Server for this change to take effect.
Or, you can set the system wide crypto policy to FUTURE which will use a higher TLS
minimum version, but doing this affects the entire system:
# update-crypto-policies --set FUTURE
===== End Of Report (1 Issue found) =====
To display the output in JSON format, pass the
--json parameter to the command:
# dsctl --json instance_name healthcheck
Example 19.2. Possible Report of the Health Check in JSON Format
The following shows an example health check report in JSON format:
[
{
"dsle": "DSELE0001",
"severity": "MEDIUM",
"items": [
"cn=encryption,cn=config"
],
"detail": "This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to\nhave a number of issues with the protocol. Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\nIt is advised you set this value to the maximum possible.",
"fix": "There are two options for setting the TLS minimum version allowed. You,\ncan set \"sslVersionMin\" in \"cn=encryption,cn=config\" to a version greater than \"TLS1.0\"\nYou can also use 'dsconf' to set this value. Here is an example:\n\n # dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2\n\nYou must restart the Directory Server for this change to take effect.\n\nOr, you can set the system wide crypto policy to FUTURE which will use a higher TLS\nminimum version, but doing this affects the entire system:\n\n # update-crypto-policies --set FUTURE"
}
]