Doctor plugin checks: implement health check classes and documentation
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
72
docs/doctor/articles/integration/ldap-connectivity.md
Normal file
72
docs/doctor/articles/integration/ldap-connectivity.md
Normal file
@@ -0,0 +1,72 @@
|
||||
---
|
||||
checkId: check.integration.ldap
|
||||
plugin: stellaops.doctor.integration
|
||||
severity: warn
|
||||
tags: [connectivity, ldap, directory, auth]
|
||||
---
|
||||
# LDAP/AD Connectivity
|
||||
|
||||
## What It Checks
|
||||
Reads the LDAP host from `Ldap:Host`, `ActiveDirectory:Host`, or `Authority:Ldap:Host` and the port from the corresponding `:Port` key (defaulting to 389, or 636 when `UseSsl` is true). Opens a raw TCP connection to the host and port with a 5-second timeout. The check **passes** if the TCP connection succeeds, **fails** on timeout, socket error, or connection refusal.
|
||||
|
||||
## Why It Matters
|
||||
LDAP or Active Directory integration is used for user authentication, group synchronization, and role mapping. If the LDAP server is unreachable, users cannot log in via directory credentials, group-based access policies cannot be evaluated, and new user provisioning stops. This directly impacts operator access to the control plane.
|
||||
|
||||
## Common Causes
|
||||
- LDAP/AD server is not running or is being restarted
|
||||
- Firewall blocking LDAP port (389) or LDAPS port (636)
|
||||
- DNS resolution failure for the LDAP hostname
|
||||
- Network unreachable between Stella Ops and the directory server
|
||||
- Incorrect host or port in configuration
|
||||
|
||||
## How to Fix
|
||||
|
||||
### Docker Compose
|
||||
```bash
|
||||
# Check LDAP configuration
|
||||
grep 'LDAP__\|ACTIVEDIRECTORY__' .env
|
||||
|
||||
# Test TCP connectivity from the gateway container
|
||||
docker compose exec gateway bash -c "echo > /dev/tcp/ldap.example.com/389 && echo OK || echo FAIL"
|
||||
|
||||
# Update LDAP host/port
|
||||
echo 'Ldap__Host=ldap.example.com' >> .env
|
||||
echo 'Ldap__Port=636' >> .env
|
||||
echo 'Ldap__UseSsl=true' >> .env
|
||||
docker compose restart gateway
|
||||
```
|
||||
|
||||
### Bare Metal / systemd
|
||||
```bash
|
||||
# Verify configuration
|
||||
cat /etc/stellaops/appsettings.Production.json | jq '.Ldap'
|
||||
|
||||
# Test connectivity
|
||||
telnet ldap.example.com 389
|
||||
# or
|
||||
nslookup ldap.example.com
|
||||
|
||||
# Update configuration
|
||||
sudo nano /etc/stellaops/appsettings.Production.json
|
||||
sudo systemctl restart stellaops-platform
|
||||
```
|
||||
|
||||
### Kubernetes / Helm
|
||||
```yaml
|
||||
# values.yaml
|
||||
ldap:
|
||||
host: ldap.example.com
|
||||
port: 636
|
||||
useSsl: true
|
||||
```
|
||||
```bash
|
||||
helm upgrade stellaops ./chart -f values.yaml
|
||||
```
|
||||
|
||||
## Verification
|
||||
```
|
||||
stella doctor run --check check.integration.ldap
|
||||
```
|
||||
|
||||
## Related Checks
|
||||
- `check.integration.oidc` -- OIDC provider connectivity (alternative auth mechanism)
|
||||
Reference in New Issue
Block a user