Este conteúdo não está disponível no idioma selecionado.
Chapter 8. Verifying your IdM and AD trust configuration using IdM Healthcheck
Learn more about identifying issues with IdM and an Active Directory trust in Identity Management (IdM) by using the Healthcheck tool.
Prerequisites
- The Healthcheck tool is only available on RHEL 8.1 or newer
8.1. IdM and AD trust Healthcheck tests
The Healthcheck tool includes several tests for testing the status of your Identity Management (IdM) and Active Directory (AD) trust.
To see all trust tests, run ipa-healthcheck
with the --list-sources
option:
# ipa-healthcheck --list-sources
You can find all tests under the ipahealthcheck.ipa.trust
source:
- IPATrustAgentCheck
-
This test checks the SSSD configuration when the machine is configured as a trust agent. For each domain in
/etc/sssd/sssd.conf
whereid_provider=ipa
ensure thatipa_server_mode
isTrue
. - IPATrustDomainsCheck
-
This test checks if the trust domains match SSSD domains by comparing the list of domains in
sssctl domain-list
with the list of domains fromipa trust-find
excluding the IPA domain. - IPATrustCatalogCheck
This test resolves resolves an AD user,
Administrator@REALM
. This populates the AD Global catalog and AD Domain Controller values insssctl domain-status
output.For each trust domain look up the user with the id of the SID + 500 (the administrator) and then check the output of
sssctl domain-status <domain> --active-server
to ensure that the domain is active.- IPAsidgenpluginCheck
-
This test verifies that the
sidgen
plugin is enabled in the IPA 389-ds instance. The test also verifies that theIPA SIDGEN
andipa-sidgen-task
plugins incn=plugins,cn=config
include thensslapd-pluginEnabled
option. - IPATrustAgentMemberCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX
. - IPATrustControllerPrincipalCheck
-
This test verifies that the current host is a member of
cn=adtrust agents,cn=sysaccounts,cn=etc,SUFFIX
. - IPATrustControllerServiceCheck
- This test verifies that the current host starts the ADTRUST service in ipactl.
- IPATrustControllerConfCheck
-
This test verifies that
ldapi
is enabled for the passdb backend in the output ofnet conf
list. - IPATrustControllerGroupSIDCheck
- This test verifies that the admins group’s SID ends with 512 (Domain Admins RID).
- IPATrustPackageCheck
-
This test verifies that the
trust-ad
package is installed if the trust controller and AD trust are not enabled.
Run these tests on all IdM servers when trying to find an issue.
8.2. Screening the trust with the Healthcheck tool
Follow this procedure to run a standalone manual test of an Identity Management (IdM) and Active Directory (AD) trust health check using the Healthcheck tool.
The Healthcheck tool includes many tests, therefore, you can shorten the results by:
-
Excluding all successful test:
--failures-only
-
Including only trust tests:
--source=ipahealthcheck.ipa.trust
Procedure
To run Healthcheck with warnings, errors and critical issues in the trust, enter:
# ipa-healthcheck --source=ipahealthcheck.ipa.trust --failures-only
Successful test displays empty brackets:
# ipa-healthcheck --source=ipahealthcheck.ipa.trust --failures-only []
Additional resources
-
See
man ipa-healthcheck
.