Replication monitoring on FreeIPA is not trivial in the current default configuration. A user querying the replication status must be authenticated which requires user credential caching - a bad idea from a security standpoint. This article describes how to change the permissions on the LDAP directory in FreeIPA so that an anonymous user can check the replication status. It also provides a Nagios monitoring script.

LDAP permissions (acis) can be added using an ldapmodify command. The aci required for FreeIPA monitoring is:

dn: cn="dc=example,dc=com",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version
3.0; aci "permission:Read Replication Agreements"; allow (read,
search, compare) groupdn = "ldap:///anyone";)

Add the above code to a file named grant_anonymous_replication_view.ldif and modify the LDAP directory using:

ldapmodify -x -D "cn=directory manager" -W -f grant_anonymous_replication_view.ldif -h freeipa_server.example.com

You should now be able to query the replication status of the server using an anonymous bind e.g.

ldapsearch -x -h freeipa_server.example.com -b cn=config '(objectclass=nsds5replicationagreement)'

Perform the ldapmodify on each FreeIPA replica, and also on the PKI LDAP directories using:

dn: cn="o=ipaca",cn=mapping tree,cn=config
changetype: modify
add: aci
aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0; aci "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///anyone";)

Which can be added using the option '-p7389' to the ldapmodify command.