第2章 ヘルスチェックを使用した問題の特定

ヘルスチェックを実行して、潜在的な問題がないか Directory Server インスタンスを分析し、推奨されるソリューションを取得します。

2.1. Directory Server ヘルスチェックの実行

dsctl healthcheck コマンドを使用してヘルスチェックを実行します。

手順

  • ヘルスチェックを実行するには、以下を入力します。

    # dsctl instance_name healthcheck
    Beginning lint report, this could take a while ...
    Checking Backends ...
    Checking Config ...
    Checking Encryption ...
    Checking FSChecks ...
    Checking ReferentialIntegrityPlugin ...
    Checking MonitorDiskSpace ...
    Checking Replica ...
    Checking Changelog5 ...
    Checking NssSsl ...
    Healthcheck complete.
    1 Issue found!  Generating report ...

    JSON 形式で出力を表示するには、--json パラメーターをコマンドに渡します。

    # dsctl --json instance_name healthcheck

    例2.1 ヘルスチェックの予想されるレポート

    [1] DS Lint Error: DSELE0001
    --------------------------------------------------------------------------------
    Severity: MEDIUM
    Affects:
     -- cn=encryption,cn=config
    
    Details:
    -----------
    This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
    have a number of issues with the protocol. Please see:
    
    https://tools.ietf.org/html/rfc7457
    
    It is advised you set this value to the maximum possible.
    
    Resolution:
    -----------
    There are two options for setting the TLS minimum version allowed.  You,
    can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0"
    You can also use 'dsconf' to set this value.  Here is an example:
    
        # dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2
    
    You must restart the Directory Server for this change to take effect.
    
    Or, you can set the system wide crypto policy to FUTURE which will use a higher TLS
    minimum version, but doing this affects the entire system:
    
        # update-crypto-policies --set FUTURE
    
    
    ===== End Of Report (1 Issue found) =====

    例2.2 JSON 形式のヘルスチェックの可能なレポート

    [
        {
            "dsle": "DSELE0001",
            "severity": "MEDIUM",
            "items": [
                "cn=encryption,cn=config"
            ],
            "detail": "This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to\nhave a number of issues with the protocol. Please see:\n\nhttps://tools.ietf.org/html/rfc7457\n\nIt is advised you set this value to the maximum possible.",
            "fix": "There are two options for setting the TLS minimum version allowed.  You,\ncan set \"sslVersionMin\" in \"cn=encryption,cn=config\" to a version greater than \"TLS1.0\"\nYou can also use 'dsconf' to set this value.  Here is an example:\n\n    # dsconf slapd-instance_name security set --tls-protocol-min=TLS1.2\n\nYou must restart the Directory Server for this change to take effect.\n\nOr, you can set the system wide crypto policy to FUTURE which will use a higher TLS\nminimum version, but doing this affects the entire system:\n\n    # update-crypto-policies --set FUTURE"
        }
    ]