check_syncrepl_extended

                                

        
        

            
            

                

    

    
Script to check LDAP syncrepl replication state between two servers


This script check LDAP syncrepl replication state between two servers.
One server is consider as provider and the other as consumer.


This script can check replication state with two method :


    

  • by the first, entryCSN of all entries of LDAP directory will be compare between two servers
    • 

  • by the second, all values of all attributes of all entries will be compare between two servers.
    • 



In all case, contextCSN of servers will be compare and entries not present in consumer or in provider will be notice. You can decide to disable contextCSN verification by using argument --no-check-contextCSN.


This script is also able to "touch" LDAP object on provider to force synchronisation of this object. This mechanism consist to add '%%TOUCH%%' value to an attribute of this object and remove it just after. The
touched attribute is specify by parameter --touch. Of course, couple of DN and password provided, must have write right on this attribute.


If your prefer, you can use --replace-touch parameter to replace value of touched attribute instead of adding the touched value. Use-ful in case of single-value attribute.


To use this script as an Icinga (or Nagios) plugin, use -n argument


Requirement


A single couple of DN and password able to connect to both server and without restriction to retrieve objects from servers.


Dependencies


    

  • python 3 (for python 2.7 compatibility, see python2.7 branch)
    • 

  • python-ldap
    • 



Installation


If you plan to use it with NRPE


apt install -y python3-ldap git
git clone https://gitea.zionetrix.net/bn8/check_syncrepl_extended.git /usr/local/src/check_syncrepl_extended
mkdir -p /usr/local/lib/nagios/plugins
ln -s /usr/local/src/check_syncrepl_extended/check_syncrepl_extended /usr/local/lib/nagios/plugins/
cat << EOF > /etc/nagios/nrpe.d/ldap-syncrepl.cfg
command[check_syncrepl_extended]=/usr/local/lib/nagios/plugins/check_syncrepl_extended --nagios --attributes --provider ldaps://ldapmaster.foo --consumer ldaps://ldapslave.foo --basedn o=example -D uid=nagios,ou=sysaccounts,o=example -P secret
EOF
service nagios-nrpe-server reload


Otherwise


apt install python3-ldap git
git clone https://gitea.zionetrix.net/bn8/check_syncrepl_extended.git /usr/local/src/check_syncrepl_extended
ln -s /usr/local/src/check_syncrepl_extended/check_syncrepl_extended /usr/local/bin/


Usage


usage: check_syncrepl_extended [-h] [-p PROVIDER] [-c CONSUMER] [-T]
                               [--no-check-certificate] [-D DN] [-P PWD]
                               [-b BASEDN] [-f FILTERSTR] [--page-size PAGE_SIZE]
                               [--encoding ENCODING] [-n] [-d] [-v] [-l LOG_FILE]
                               [--progress] [--no-check-contextCSN]
                               [--only-check-contextCSN] [-i SERVERID]
                               [-X SYNC_DELAY] [-a] [-x EXCLUDE_ATTRIBUTES] [-L]
                               [--touch TOUCH] [--replace-touch]
                               [--remove-touch-value]

Script to check LDAP syncrepl replication state between two servers.

options:
  -h, --help            show this help message and exit

LDAP connection:
  -p PROVIDER, --provider PROVIDER
                        LDAP provider URI (example: 'ldaps://ldapmaster.foo:636')
  -c CONSUMER, --consumer CONSUMER
                        LDAP consumer URI (example: 'ldaps://ldapslave.foo:636')
  -T, --starttls        Start TLS on LDAP provider/consumers connections
  --no-check-certificate
                        Don't check the LDAP servers certificate
  -D DN, --dn DN        LDAP bind DN (optional, example:
                        'uid=mon,ou=sysaccounts,o=example')
  -P PWD, --pwd PWD     LDAP bind password
  -b BASEDN, --basedn BASEDN
                        LDAP base DN (required, example: 'o=example')
  -f FILTERSTR, --filter FILTERSTR
                        LDAP filter (default: '(objectclass=*)')
  --page-size PAGE_SIZE
                        Page size: if defined, use paged search (using paging
                        control using LDAP v3 extended control, optional, default:
                        do not use paged search).
  --encoding ENCODING   Encoding charset of LDAP data (default: utf8)

Output:
  -n, --nagios          Nagios/Icinga check plugin mode
  -d, --debug           Debug mode
  -v, --verbose         Verbose mode
  -l LOG_FILE, --log-file LOG_FILE
                        Log file path
  --progress            Show progress bar

Check control:
  --no-check-contextCSN
                        Don't check servers contextCSN
  --only-check-contextCSN
                        Only check servers root contextCSN (objects check disabled)
  -i SERVERID, --serverID SERVERID
                        Compare contextCSN of a specific master. Useful in
                        MultiMaster setups where each master has a unique ID and a
                        contextCSN for each replicated master exists. A valid
                        serverID is a integer value from 0 to 4095 (limited to 3
                        hex digits, example: '12' compares the contextCSN matching
                        '#00C#')
  -X SYNC_DELAY, --sync-delay SYNC_DELAY
                        Synchronization delay: all non-synchronized objects modify
                        since less of the specified time (in ms) will be ignored
                        (default: 0). Note: this delay is potentially increased
                        based on time passed to load objects on LDAP servers.
  -a, --attributes      Check attributes values (Default: only check entryCSN)
  -x EXCLUDE_ATTRIBUTES, --exclude-attributes EXCLUDE_ATTRIBUTES
                        Exclude some attributes (only in attribute check mode,
                        default: contextCSN & auditContext)
  -L, --low-mem         In check attribute mode, reduce memory usage by loading
                        object one by one

"Touch" attribute feature:
  --touch TOUCH         Touch attribute given as a parameter to force a resync of
                        this LDAP object from the provider. The value "%TOUCH%"
                        will be added to this attribute and then removed afterward.
                        Important: The user connecting to the LDAP directory must
                        have write permissions on this attribute for each object.
  --replace-touch       Replace the value of the touched attribute instead of
                        adding the touched value (useful for single-value
                        attributes).
  --remove-touch-value  Remove the touch value if it is already present in the
                        touched attribute (and do not restore it).

Author: Benjamin Renard , Version: 2025.11.2, Source:
https://gitea.zionetrix.net/bn8/check_syncrepl_extended


Copyright


Copyright (c) 2017 Benjamin Renard


License


This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 3 as published by the Free Software Foundation.


This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.


You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.