Blame SOURCES/0011-Issue-50746-Add-option-to-healthcheck-to-list-all-th.patch

a26cad
From 21ed5224d63e3118a39ddd5ea438367532541a8f Mon Sep 17 00:00:00 2001
a26cad
From: Matus Honek <mhonek@redhat.com>
a26cad
Date: Mon, 2 Dec 2019 14:53:31 +0100
a26cad
Subject: [PATCH 11/12] Issue 50746 - Add option to healthcheck to list all the
a26cad
 lint reports
a26cad
a26cad
Bug Description:
a26cad
Healthcheck lacks a way to find out what checks are available.
a26cad
a26cad
Fix Description:
a26cad
Add dsctl healthcheck options to list available checks, known error
a26cad
codes, and ability to run cehcks selectively. The checks are rather
a26cad
hierarchically structured and in some cases matchable by patterns (by
a26cad
use of asterisk).
a26cad
a26cad
Fixes https://pagure.io/389-ds-base/issue/50746
a26cad
a26cad
Author: Matus Honek <mhonek@redhat.com>
a26cad
a26cad
Review by: Mark, William, Simon (thanks for the patience!)
a26cad
a26cad
(cherry picked from commit 4a55322c7bdb0b9ff57428ad0dc2e4d943572a69)
a26cad
---
a26cad
 src/lib389/cli/dsctl                          |   1 +
a26cad
 src/lib389/lib389/_mapped_object.py           |  34 +---
a26cad
 src/lib389/lib389/_mapped_object_lint.py      | 157 ++++++++++++++++++
a26cad
 src/lib389/lib389/backend.py                  |  13 +-
a26cad
 src/lib389/lib389/cli_ctl/health.py           | 116 +++++++++----
a26cad
 src/lib389/lib389/config.py                   |  13 +-
a26cad
 src/lib389/lib389/dseldif.py                  |  29 +---
a26cad
 src/lib389/lib389/encrypted_attributes.py     |   1 -
a26cad
 src/lib389/lib389/index.py                    |   3 -
a26cad
 src/lib389/lib389/lint.py                     | 125 ++++++++------
a26cad
 src/lib389/lib389/monitor.py                  |   5 +-
a26cad
 src/lib389/lib389/nss_ssl.py                  |  23 ++-
a26cad
 src/lib389/lib389/plugins.py                  |   5 +-
a26cad
 src/lib389/lib389/replica.py                  |  10 +-
a26cad
 .../lib389/tests/mapped_object_lint_test.py   |  78 +++++++++
a26cad
 15 files changed, 448 insertions(+), 165 deletions(-)
a26cad
 create mode 100644 src/lib389/lib389/_mapped_object_lint.py
a26cad
 create mode 100644 src/lib389/lib389/tests/mapped_object_lint_test.py
a26cad
a26cad
diff --git a/src/lib389/cli/dsctl b/src/lib389/cli/dsctl
a26cad
index fd9bd87c1..9deda7039 100755
a26cad
--- a/src/lib389/cli/dsctl
a26cad
+++ b/src/lib389/cli/dsctl
a26cad
@@ -64,6 +64,7 @@ cli_dbgen.create_parser(subparsers)
a26cad
 
a26cad
 argcomplete.autocomplete(parser)
a26cad
 
a26cad
+
a26cad
 # handle a control-c gracefully
a26cad
 def signal_handler(signal, frame):
a26cad
     print('\n\nExiting...')
a26cad
diff --git a/src/lib389/lib389/_mapped_object.py b/src/lib389/lib389/_mapped_object.py
a26cad
index ce0ebfeb8..c60837601 100644
a26cad
--- a/src/lib389/lib389/_mapped_object.py
a26cad
+++ b/src/lib389/lib389/_mapped_object.py
a26cad
@@ -15,6 +15,7 @@ import json
a26cad
 from functools import partial
a26cad
 from lib389._entry import Entry
a26cad
 from lib389._constants import DIRSRV_STATE_ONLINE
a26cad
+from lib389._mapped_object_lint import DSLint, DSLints
a26cad
 from lib389.utils import (
a26cad
         ensure_bytes, ensure_str, ensure_int, ensure_list_bytes, ensure_list_str,
a26cad
         ensure_list_int, display_log_value, display_log_data
a26cad
@@ -82,7 +83,7 @@ class DSLogging(object):
a26cad
             self._log.setLevel(logging.INFO)
a26cad
 
a26cad
 
a26cad
-class DSLdapObject(DSLogging):
a26cad
+class DSLdapObject(DSLogging, DSLint):
a26cad
     """A single instance of DSLdapObjects
a26cad
 
a26cad
     :param instance: An instance
a26cad
@@ -107,7 +108,6 @@ class DSLdapObject(DSLogging):
a26cad
         self._must_attributes = None
a26cad
         # attributes, we don't want to compare
a26cad
         self._compare_exclude = ['entryid', 'modifytimestamp', 'nsuniqueid']
a26cad
-        self._lint_functions = None
a26cad
         self._server_controls = None
a26cad
         self._client_controls = None
a26cad
         self._object_filter = '(objectClass=*)'
a26cad
@@ -985,38 +985,10 @@ class DSLdapObject(DSLogging):
a26cad
         """
a26cad
         return self._create(rdn, properties, basedn, ensure=True)
a26cad
 
a26cad
-    def lint(self):
a26cad
-        """Override this to create a linter for a type. This means that we can detect
a26cad
-        and report common administrative errors in the server from our cli and
a26cad
-        rest tools.
a26cad
-
a26cad
-        The structure of a result is::
a26cad
-
a26cad
-          {
a26cad
-            dsle: '<identifier>'. dsle == ds lint error. Will be a code unique to
a26cad
-                                this module for the error, IE DSBLE0001.
a26cad
-            severity: '[HIGH:MEDIUM:LOW]'. severity of the error.
a26cad
-            items: '(dn,dn,dn)'. List of affected DNs or names.
a26cad
-            detail: 'msg ...'. An explination of the error.
a26cad
-            fix: 'msg ...'. Steps to resolve the error.
a26cad
-          }
a26cad
-
a26cad
-        :returns: An array of these dicts, on None if there are no errors.
a26cad
-        """
a26cad
-
a26cad
-        if not self._lint_functions:
a26cad
-            return None
a26cad
-        results = []
a26cad
-        for fn in self._lint_functions:
a26cad
-            for result in fn():
a26cad
-                if result is not None:
a26cad
-                    results.append(result)
a26cad
-        return results
a26cad
-
a26cad
 
a26cad
 # A challenge of this, is how do we manage indexes? They have two naming attributes....
a26cad
 
a26cad
-class DSLdapObjects(DSLogging):
a26cad
+class DSLdapObjects(DSLogging, DSLints):
a26cad
     """The object represents the next idea: "Everything is an instance of something
a26cad
     that exists in this way", i.e. we unite LDAP entries by some
a26cad
     set of parameters with the object.
a26cad
diff --git a/src/lib389/lib389/_mapped_object_lint.py b/src/lib389/lib389/_mapped_object_lint.py
a26cad
new file mode 100644
a26cad
index 000000000..2d03de98f
a26cad
--- /dev/null
a26cad
+++ b/src/lib389/lib389/_mapped_object_lint.py
a26cad
@@ -0,0 +1,157 @@
a26cad
+from abc import ABC, abstractmethod
a26cad
+from functools import partial
a26cad
+from inspect import signature
a26cad
+from typing import (
a26cad
+    Callable,
a26cad
+    List,
a26cad
+    Optional,
a26cad
+    Tuple,
a26cad
+    Union,
a26cad
+    Type,
a26cad
+    Generator,
a26cad
+    Any
a26cad
+)
a26cad
+
a26cad
+
a26cad
+DSLintSpec = Tuple[str, Callable]
a26cad
+DSLintParsedSpec = Tuple[Optional[str], Optional[str]]
a26cad
+DSLintClassSpec = Generator[DSLintSpec, None, None]
a26cad
+DSLintMethodSpec = Union[str, None, Type[List]]
a26cad
+DSLintResults = Generator[Any, None, None]
a26cad
+
a26cad
+
a26cad
+class DSLint():
a26cad
+    """In a super-class, create a method with name beginning with `_lint_`
a26cad
+    which would yield results (as described below). Such a method will
a26cad
+    then be available to the `lint()` method of the class.
a26cad
+
a26cad
+    `lint_list`: takes a spec and yields available lints, recursively
a26cad
+    `lint`:      takes a spac and runs lints according to it, yielding results if any
a26cad
+
a26cad
+    `spec`: is a colon-separated string, with prefix matching a method name and suffix
a26cad
+            being passed down to the method.
a26cad
+
a26cad
+    A class inheriting from hereby class shall implement a method named `lint_uid()` which
a26cad
+    returns a pretty name of the object. This is to be used by a higher level code.
a26cad
+
a26cad
+    Each lint method has to have a name prefix with _lint_. It may accept an optional
a26cad
+    parameter `spec` in which case:
a26cad
+    - it has to accept typing.List class as a parameter, in which case it shall yield
a26cad
+      all possible lint specs for that method
a26cad
+    - it receives the suffix provided to the `spec` of hereby `lint` method (as mentioned above)
a26cad
+
a26cad
+    This means that we can detect and report common administrative errors
a26cad
+    in the server from our cli and rest tools.
a26cad
+
a26cad
+    The structure of a result shall be:
a26cad
+
a26cad
+        {
a26cad
+        dsle: '<identifier>'. dsle == ds lint error. Will be a code unique to
a26cad
+                            this module for the error, IE DSBLE0001.
a26cad
+        severity: '[HIGH:MEDIUM:LOW]'. severity of the error.
a26cad
+        items: '(dn,dn,dn)'. List of affected DNs or names.
a26cad
+        detail: 'msg ...'. An explination of the error.
a26cad
+        fix: 'msg ...'. Steps to resolve the error.
a26cad
+        }
a26cad
+    """
a26cad
+
a26cad
+    @classmethod
a26cad
+    def _dslint_fname(cls, method: Callable) -> Optional[str]:
a26cad
+        """Return a pretty name for a method."""
a26cad
+        if callable(method) and method.__name__.startswith('_lint_'):
a26cad
+            return method.__name__[len('_lint_'):]
a26cad
+        else:
a26cad
+            return None
a26cad
+
a26cad
+    @staticmethod
a26cad
+    def _dslint_parse_spec(spec: Optional[str]) -> DSLintParsedSpec:
a26cad
+        """Split `spec` to prefix and suffix."""
a26cad
+        wanted, *rest = spec.split(':', 1) if spec else (None, None)
a26cad
+        return (wanted if wanted not in [None, '*'] else None,
a26cad
+                rest[0] if rest else None)
a26cad
+
a26cad
+    @classmethod
a26cad
+    def _dslint_make_spec(cls, method: Callable, spec: Optional[str] = None) -> str:
a26cad
+        """Build a new spec from prefix (`method` name) and suffix (`spec`)."""
a26cad
+        fname = cls._dslint_fname(method)
a26cad
+        return f'{fname}:{spec}' if spec else fname
a26cad
+
a26cad
+    def lint_list(self, spec: Optional[str] = None) -> DSLintClassSpec:
a26cad
+        """Yield specs the object provides.
a26cad
+
a26cad
+        This yields from each lint method yielding all specs it can provide.
a26cad
+        """
a26cad
+
a26cad
+        assert hasattr(self, 'lint_uid')
a26cad
+
a26cad
+        # Find _lint_ methods
a26cad
+        # NOTE: There is a caveat: don't you dare try to getattr on a @property, or
a26cad
+        #       you get it executed. That's why the following line's complexity.
a26cad
+        fs = [getattr(self, f) for f in dir(self)
a26cad
+              if f.startswith('_lint_') and self._dslint_fname(getattr(self, f))]
a26cad
+
a26cad
+        # Filter acording to the `spec`
a26cad
+        wanted, rest = self._dslint_parse_spec(spec)
a26cad
+        if wanted:
a26cad
+            try:
a26cad
+                fs = [next(filter(lambda f: self._dslint_fname(f) == wanted, fs))]
a26cad
+            except StopIteration:
a26cad
+                raise ValueError('there is no such lint function')
a26cad
+
a26cad
+        # Yield known specs
a26cad
+        for f in fs:
a26cad
+            fspec_t = signature(f).parameters.get('spec', None)
a26cad
+            if fspec_t:
a26cad
+                assert fspec_t.annotation == DSLintMethodSpec
a26cad
+                for fspec in [rest] if rest else f(spec=List):
a26cad
+                    yield self._dslint_make_spec(f, fspec), partial(f, spec=fspec)
a26cad
+            else:
a26cad
+                yield self._dslint_make_spec(f, rest), f
a26cad
+
a26cad
+    def lint(self, spec: DSLintMethodSpec = None) -> DSLintResults:
a26cad
+        """Lint the object according to the `spec`."""
a26cad
+
a26cad
+        if spec == List:
a26cad
+            yield from self.lint_list()
a26cad
+        else:
a26cad
+            for fn, f in self.lint_list(spec):
a26cad
+                yield from f()
a26cad
+
a26cad
+
a26cad
+class DSLints():
a26cad
+    """This is a meta class to provide lint functionality to classes that provide
a26cad
+    method `list` which returns list of objects that inherit from DSLint.
a26cad
+
a26cad
+    Calling `lint` or `lint_list` method yields from respective object's methods.
a26cad
+
a26cad
+    The `spec` is a colon-separated string. Its prefix matches the respective object's
a26cad
+    `lint_uid` (or all when asterisk); the suffix is passed down to the respective
a26cad
+    object's method.
a26cad
+    """
a26cad
+
a26cad
+    def lint_list(self, spec: Optional[str] = None) -> DSLintClassSpec:
a26cad
+        """Yield specs the objects returned by `list` method provide."""
a26cad
+
a26cad
+        assert hasattr(self, 'list')
a26cad
+
a26cad
+        # Filter acording to the `spec`
a26cad
+        wanted, rest_spec = DSLint._dslint_parse_spec(spec)
a26cad
+        if wanted in [None, '*']:
a26cad
+            clss = self.list()
a26cad
+        else:
a26cad
+            clss = (cls for cls in self.list() if cls.lint_uid() == wanted)
a26cad
+
a26cad
+        # Yield known specs
a26cad
+        for cls in clss:
a26cad
+            for fn, f in cls.lint_list(spec=rest_spec):
a26cad
+                yield (f'{cls.lint_uid()}:{fn}',
a26cad
+                       partial(f, rest_spec) if rest_spec else f)
a26cad
+
a26cad
+    def lint(self, spec: DSLintMethodSpec = None) -> DSLintResults:
a26cad
+        """Lint the objects returned by `list` method according to the `spec`."""
a26cad
+
a26cad
+        if spec == List:
a26cad
+            yield from self.lint_list()
a26cad
+        else:
a26cad
+            for obj in self.list():
a26cad
+                yield from obj.lint()
a26cad
diff --git a/src/lib389/lib389/backend.py b/src/lib389/lib389/backend.py
a26cad
index 4f752f414..8863ad1a8 100644
a26cad
--- a/src/lib389/lib389/backend.py
a26cad
+++ b/src/lib389/lib389/backend.py
a26cad
@@ -393,6 +393,10 @@ class BackendLegacy(object):
a26cad
         replace = [(ldap.MOD_REPLACE, 'nsslapd-require-index', 'on')]
a26cad
         self.modify_s(dn, replace)
a26cad
 
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'backends'
a26cad
+
a26cad
 
a26cad
 class Backend(DSLdapObject):
a26cad
     """Backend DSLdapObject with:
a26cad
@@ -413,10 +417,12 @@ class Backend(DSLdapObject):
a26cad
         self._must_attributes = ['nsslapd-suffix', 'cn']
a26cad
         self._create_objectclasses = ['top', 'extensibleObject', BACKEND_OBJECTCLASS_VALUE]
a26cad
         self._protected = False
a26cad
-        self._lint_functions = [self._lint_mappingtree, self._lint_search, self._lint_virt_attrs]
a26cad
         # Check if a mapping tree for this suffix exists.
a26cad
         self._mts = MappingTrees(self._instance)
a26cad
 
a26cad
+    def lint_uid(self):
a26cad
+        return self.get_attr_val_utf8_l('cn').lower()
a26cad
+
a26cad
     def _lint_virt_attrs(self):
a26cad
         """Check if any virtual attribute are incorrectly indexed"""
a26cad
         indexes = self.get_indexes()
a26cad
@@ -497,7 +503,6 @@ class Backend(DSLdapObject):
a26cad
             result = DSBLE0001
a26cad
             result['items'] = [bename, ]
a26cad
             yield result
a26cad
-        return None
a26cad
 
a26cad
     def create_sample_entries(self, version):
a26cad
         """Creates sample entries under nsslapd-suffix value
a26cad
@@ -848,6 +853,10 @@ class Backends(DSLdapObjects):
a26cad
         self._childobject = Backend
a26cad
         self._basedn = DN_LDBM
a26cad
 
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'backends'
a26cad
+
a26cad
     def import_ldif(self, be_name, ldifs, chunk_size=None, encrypted=False, gen_uniq_id=None, only_core=False,
a26cad
                     include_suffixes=None, exclude_suffixes=None):
a26cad
         """Do an import of the suffix"""
a26cad
diff --git a/src/lib389/lib389/cli_ctl/health.py b/src/lib389/lib389/cli_ctl/health.py
a26cad
index 3d15ad85e..6333a753a 100644
a26cad
--- a/src/lib389/lib389/cli_ctl/health.py
a26cad
+++ b/src/lib389/lib389/cli_ctl/health.py
a26cad
@@ -7,6 +7,9 @@
a26cad
 # --- END COPYRIGHT BLOCK ---
a26cad
 
a26cad
 import json
a26cad
+import re
a26cad
+from lib389._mapped_object import DSLdapObjects
a26cad
+from lib389._mapped_object_lint import DSLint
a26cad
 from lib389.cli_base import connect_instance, disconnect_instance
a26cad
 from lib389.cli_base.dsrc import dsrc_to_ldap, dsrc_arg_concat
a26cad
 from lib389.backend import Backends
a26cad
@@ -15,17 +18,17 @@ from lib389.monitor import MonitorDiskSpace
a26cad
 from lib389.replica import Replica, Changelog5
a26cad
 from lib389.nss_ssl import NssSsl
a26cad
 from lib389.dseldif import FSChecks, DSEldif
a26cad
+from lib389 import lint
a26cad
 from lib389 import plugins
a26cad
 from lib389._constants import DSRC_HOME
a26cad
+from functools import partial
a26cad
+from typing import Iterable
a26cad
 
a26cad
-# These get all instances, then check them all.
a26cad
-CHECK_MANY_OBJECTS = [
a26cad
-    Backends,
a26cad
-]
a26cad
 
a26cad
 # These get single instances and check them.
a26cad
 CHECK_OBJECTS = [
a26cad
     Config,
a26cad
+    Backends,
a26cad
     Encryption,
a26cad
     FSChecks,
a26cad
     plugins.ReferentialIntegrityPlugin,
a26cad
@@ -52,44 +55,51 @@ def _format_check_output(log, result, idx):
a26cad
     log.info(result['fix'])
a26cad
 
a26cad
 
a26cad
-def health_check_run(inst, log, args):
a26cad
-    """Connect to the local server using LDAPI, and perform various health checks
a26cad
-    """
a26cad
+def _list_targets(inst):
a26cad
+    for c in CHECK_OBJECTS:
a26cad
+        o = c(inst)
a26cad
+        yield o.lint_uid(), o
a26cad
+
a26cad
+
a26cad
+def _list_errors(log):
a26cad
+    for r in map(partial(getattr, lint),
a26cad
+                 filter(partial(re.match, r'^DS'),
a26cad
+                        dir(lint))):
a26cad
+        log.info(f"{r['dsle']} :: {r['description']}")
a26cad
 
a26cad
-    # update the args for connect_instance()
a26cad
-    args.basedn = None
a26cad
-    args.binddn = None
a26cad
-    args.bindpw = None
a26cad
-    args.starttls = None
a26cad
-    args.pwdfile = None
a26cad
-    args.prompt = False
a26cad
-    dsrc_inst = dsrc_to_ldap(DSRC_HOME, args.instance, log.getChild('dsrc'))
a26cad
-    dsrc_inst = dsrc_arg_concat(args, dsrc_inst)
a26cad
-    try:
a26cad
-        inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args)
a26cad
-    except Exception as e:
a26cad
-        raise ValueError('Failed to connect to Directory Server instance: ' + str(e))
a26cad
 
a26cad
+def _list_checks(inst, specs: Iterable[str]):
a26cad
+    o_uids = dict(_list_targets(inst))
a26cad
+    for s in specs:
a26cad
+        wanted, rest = DSLint._dslint_parse_spec(s)
a26cad
+        if wanted == '*':
a26cad
+            raise ValueError('Unexpected spec selector asterisk')
a26cad
+
a26cad
+        if wanted in o_uids:
a26cad
+            for l in o_uids[wanted].lint_list(rest):
a26cad
+                yield o_uids[wanted], l
a26cad
+        else:
a26cad
+            raise ValueError('No such object specifier')
a26cad
+
a26cad
+
a26cad
+def _print_checks(inst, specs: Iterable[str]) -> None:
a26cad
+    for o, s in _list_checks(inst, specs):
a26cad
+        print(f'{o.lint_uid()}:{s[0]}')
a26cad
+
a26cad
+
a26cad
+def _run(inst, log, args, checks):
a26cad
     if not args.json:
a26cad
         log.info("Beginning lint report, this could take a while ...")
a26cad
+
a26cad
     report = []
a26cad
-    for lo in CHECK_MANY_OBJECTS:
a26cad
+    for o, s in checks:
a26cad
         if not args.json:
a26cad
-            log.info("Checking %s ..." % lo.__name__)
a26cad
-        lo_inst = lo(inst)
a26cad
-        for clo in lo_inst.list():
a26cad
-            result = clo.lint()
a26cad
-            if result is not None:
a26cad
-                report += result
a26cad
-    for lo in CHECK_OBJECTS:
a26cad
-        if not args.json:
a26cad
-            log.info("Checking %s ..." % lo.__name__)
a26cad
-        lo_inst = lo(inst)
a26cad
-        result = lo_inst.lint()
a26cad
-        if result is not None:
a26cad
-            report += result
a26cad
+            log.info(f"Checking {o.lint_uid()}:{s[0]} ...")
a26cad
+        report += o.lint(s[0]) or []
a26cad
+
a26cad
     if not args.json:
a26cad
         log.info("Healthcheck complete.")
a26cad
+
a26cad
     count = len(report)
a26cad
     if count == 0:
a26cad
         if not args.json:
a26cad
@@ -110,6 +120,37 @@ def health_check_run(inst, log, args):
a26cad
         else:
a26cad
             log.info(json.dumps(report, indent=4))
a26cad
 
a26cad
+
a26cad
+def health_check_run(inst, log, args):
a26cad
+    """Connect to the local server using LDAPI, and perform various health checks
a26cad
+    """
a26cad
+
a26cad
+    if args.list_errors:
a26cad
+        _list_errors(log)
a26cad
+        return
a26cad
+
a26cad
+    # update the args for connect_instance()
a26cad
+    args.basedn = None
a26cad
+    args.binddn = None
a26cad
+    args.bindpw = None
a26cad
+    args.starttls = None
a26cad
+    args.pwdfile = None
a26cad
+    args.prompt = False
a26cad
+    dsrc_inst = dsrc_to_ldap(DSRC_HOME, args.instance, log.getChild('dsrc'))
a26cad
+    dsrc_inst = dsrc_arg_concat(args, dsrc_inst)
a26cad
+    try:
a26cad
+        inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args)
a26cad
+    except Exception as e:
a26cad
+        raise ValueError('Failed to connect to Directory Server instance: ' + str(e))
a26cad
+
a26cad
+    checks = args.check or dict(_list_targets(inst)).keys()
a26cad
+
a26cad
+    if args.list_checks or args.dry_run:
a26cad
+        _print_checks(inst, checks)
a26cad
+        return
a26cad
+
a26cad
+    _run(inst, log, args, _list_checks(inst, checks))
a26cad
+
a26cad
     disconnect_instance(inst)
a26cad
 
a26cad
 
a26cad
@@ -120,4 +161,9 @@ def create_parser(subparsers):
a26cad
         "remote Directory Server as this tool needs access to local resources, "
a26cad
         "otherwise the report may be inaccurate.")
a26cad
     run_healthcheck_parser.set_defaults(func=health_check_run)
a26cad
-
a26cad
+    run_healthcheck_parser.add_argument('--list-checks', action='store_true', help='List of known checks')
a26cad
+    run_healthcheck_parser.add_argument('--list-errors', action='store_true', help='List of known error codes')
a26cad
+    run_healthcheck_parser.add_argument('--dry-run', action='store_true', help='Do not execute the actual check, only list what would be done')
a26cad
+    run_healthcheck_parser.add_argument('--check', nargs='+', default=None,
a26cad
+                                        help='Areas to check. These can be obtained by --list-checks. Every element on the left of the colon (:)'
a26cad
+                                             ' may be replaced by an asterisk if multiple options on the right are available.')
a26cad
diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py
a26cad
index a29d0244c..aa4c92beb 100644
a26cad
--- a/src/lib389/lib389/config.py
a26cad
+++ b/src/lib389/lib389/config.py
a26cad
@@ -54,7 +54,6 @@ class Config(DSLdapObject):
a26cad
         ]
a26cad
         self._compare_exclude  = self._compare_exclude + config_compare_exclude
a26cad
         self._rdn_attribute = 'cn'
a26cad
-        self._lint_functions = [self._lint_hr_timestamp, self._lint_passwordscheme]
a26cad
 
a26cad
     @property
a26cad
     def dn(self):
a26cad
@@ -197,6 +196,10 @@ class Config(DSLdapObject):
a26cad
         fields = 'nsslapd-security nsslapd-ssl-check-hostname'.split()
a26cad
         return self._instance.getEntry(DN_CONFIG, attrlist=fields)
a26cad
 
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'config'
a26cad
+
a26cad
     def _lint_hr_timestamp(self):
a26cad
         hr_timestamp = self.get_attr_val('nsslapd-logging-hr-timestamps-enabled')
a26cad
         if ensure_bytes('on') != hr_timestamp:
a26cad
@@ -242,20 +245,22 @@ class Encryption(DSLdapObject):
a26cad
         self._rdn_attribute = 'cn'
a26cad
         self._must_attributes = ['cn']
a26cad
         self._protected = True
a26cad
-        self._lint_functions = [self._lint_check_tls_version]
a26cad
 
a26cad
     def create(self, rdn=None, properties={'cn': 'encryption', 'nsSSLClientAuth': 'allowed'}):
a26cad
         if rdn is not None:
a26cad
             self._log.debug("dn on cn=encryption is not None. This is a mistake.")
a26cad
         super(Encryption, self).create(properties=properties)
a26cad
 
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'encryption'
a26cad
+
a26cad
     def _lint_check_tls_version(self):
a26cad
         tls_min = self.get_attr_val('sslVersionMin')
a26cad
         if tls_min is not None and tls_min < ensure_bytes('TLS1.1'):
a26cad
             report = copy.deepcopy(DSELE0001)
a26cad
             report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)
a26cad
             yield report
a26cad
-        yield None
a26cad
 
a26cad
     @property
a26cad
     def ciphers(self):
a26cad
@@ -487,7 +492,6 @@ class LDBMConfig(DSLdapObject):
a26cad
         self._dn = DN_CONFIG_LDBM
a26cad
         # config_compare_exclude = []
a26cad
         self._rdn_attribute = 'cn'
a26cad
-        self._lint_functions = []
a26cad
         self._protected = True
a26cad
 
a26cad
 
a26cad
@@ -506,5 +510,4 @@ class BDB_LDBMConfig(DSLdapObject):
a26cad
         self._dn = DN_CONFIG_LDBM_BDB
a26cad
         self._config_compare_exclude = []
a26cad
         self._rdn_attribute = 'cn'
a26cad
-        self._lint_functions = []
a26cad
         self._protected = True
a26cad
diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py
a26cad
index 5378e6ee9..96c9af9d1 100644
a26cad
--- a/src/lib389/lib389/dseldif.py
a26cad
+++ b/src/lib389/lib389/dseldif.py
a26cad
@@ -16,6 +16,7 @@ from datetime import timedelta
a26cad
 from stat import ST_MODE
a26cad
 # from lib389.utils import print_nice_time
a26cad
 from lib389.paths import Paths
a26cad
+from lib389._mapped_object_lint import DSLint
a26cad
 from lib389.lint import (
a26cad
     DSPERMLE0001,
a26cad
     DSPERMLE0002,
a26cad
@@ -25,7 +26,7 @@ from lib389.lint import (
a26cad
 )
a26cad
 
a26cad
 
a26cad
-class DSEldif(object):
a26cad
+class DSEldif(DSLint):
a26cad
     """A class for working with dse.ldif file
a26cad
 
a26cad
     :param instance: An instance
a26cad
@@ -58,15 +59,10 @@ class DSEldif(object):
a26cad
                         processed_line = line
a26cad
                 else:
a26cad
                     processed_line = processed_line[:-1] + line[1:]
a26cad
-        self._lint_functions = [self._lint_nsstate]
a26cad
 
a26cad
-    def lint(self):
a26cad
-        results = []
a26cad
-        for fn in self._lint_functions:
a26cad
-            for result in fn():
a26cad
-                if result is not None:
a26cad
-                    results.append(result)
a26cad
-        return results
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'dseldif'
a26cad
 
a26cad
     def _lint_nsstate(self):
a26cad
         suffixes = self.readNsState()
a26cad
@@ -320,7 +316,7 @@ class DSEldif(object):
a26cad
         return states
a26cad
 
a26cad
 
a26cad
-class FSChecks(object):
a26cad
+class FSChecks(DSLint):
a26cad
     """This is for the healthcheck feature, check commonly used system config files the
a26cad
     server uses.  This is here for lack of a better place to add this class.
a26cad
     """
a26cad
@@ -344,17 +340,10 @@ class FSChecks(object):
a26cad
                 'report': DSPERMLE0002
a26cad
             },
a26cad
         ]
a26cad
-        self._lint_functions = [self._lint_file_perms]
a26cad
 
a26cad
-    def lint(self):
a26cad
-        """Run a lint/healthcheck for this class
a26cad
-        """
a26cad
-        results = []
a26cad
-        for fn in self._lint_functions:
a26cad
-            for result in fn():
a26cad
-                if result is not None:
a26cad
-                    results.append(result)
a26cad
-        return results
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'fschecks'
a26cad
 
a26cad
     def _lint_file_perms(self):
a26cad
         """Test file permissions are safe
a26cad
diff --git a/src/lib389/lib389/encrypted_attributes.py b/src/lib389/lib389/encrypted_attributes.py
a26cad
index 9afd2e66b..2fa26cef9 100644
a26cad
--- a/src/lib389/lib389/encrypted_attributes.py
a26cad
+++ b/src/lib389/lib389/encrypted_attributes.py
a26cad
@@ -27,7 +27,6 @@ class EncryptedAttr(DSLdapObject):
a26cad
         self._must_attributes = ['cn', 'nsEncryptionAlgorithm']
a26cad
         self._create_objectclasses = ['top', 'nsAttributeEncryption']
a26cad
         self._protected = False
a26cad
-        self._lint_functions = []
a26cad
 
a26cad
 
a26cad
 class EncryptedAttrs(DSLdapObjects):
a26cad
diff --git a/src/lib389/lib389/index.py b/src/lib389/lib389/index.py
a26cad
index 6932883b7..a3d019d27 100644
a26cad
--- a/src/lib389/lib389/index.py
a26cad
+++ b/src/lib389/lib389/index.py
a26cad
@@ -41,7 +41,6 @@ class Index(DSLdapObject):
a26cad
         self._must_attributes = ['cn', 'nsSystemIndex', 'nsIndexType']
a26cad
         self._create_objectclasses = ['top', 'nsIndex']
a26cad
         self._protected = False
a26cad
-        self._lint_functions = []
a26cad
 
a26cad
 
a26cad
 class Indexes(DSLdapObjects):
a26cad
@@ -77,7 +76,6 @@ class VLVSearch(DSLdapObject):
a26cad
         self._must_attributes = ['cn', 'vlvbase', 'vlvscope', 'vlvfilter']
a26cad
         self._create_objectclasses = ['top', 'vlvSearch']
a26cad
         self._protected = False
a26cad
-        self._lint_functions = []
a26cad
         self._be_name = None
a26cad
 
a26cad
     def get_sorts(self):
a26cad
@@ -163,7 +161,6 @@ class VLVIndex(DSLdapObject):
a26cad
         self._must_attributes = ['cn', 'vlvsort']
a26cad
         self._create_objectclasses = ['top', 'vlvIndex']
a26cad
         self._protected = False
a26cad
-        self._lint_functions = []
a26cad
 
a26cad
 
a26cad
 class VLVIndexes(DSLdapObjects):
a26cad
diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py
a26cad
index b5a305bc3..a103feec7 100644
a26cad
--- a/src/lib389/lib389/lint.py
a26cad
+++ b/src/lib389/lib389/lint.py
a26cad
@@ -14,8 +14,9 @@
a26cad
 DSBLE0001 = {
a26cad
     'dsle': 'DSBLE0001',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : [],
a26cad
-    'detail' : """This backend may be missing the correct mapping tree references. Mapping Trees allow
a26cad
+    'description': 'Possibly incorrect mapping tree.',
a26cad
+    'items': [],
a26cad
+    'detail': """This backend may be missing the correct mapping tree references. Mapping Trees allow
a26cad
 the directory server to determine which backend an operation is routed to in the
a26cad
 abscence of other information. This is extremely important for correct functioning
a26cad
 of LDAP ADD for example.
a26cad
@@ -32,7 +33,7 @@ objectClass: extensibleObject
a26cad
 objectClass: nsMappingTree
a26cad
 
a26cad
 """,
a26cad
-    'fix' : """Either you need to create the mapping tree, or you need to repair the related
a26cad
+    'fix': """Either you need to create the mapping tree, or you need to repair the related
a26cad
 mapping tree. You will need to do this by hand by editing cn=config, or stopping
a26cad
 the instance and editing dse.ldif.
a26cad
 """
a26cad
@@ -41,25 +42,28 @@ the instance and editing dse.ldif.
a26cad
 DSBLE0002 = {
a26cad
     'dsle': 'DSBLE0002',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : [],
a26cad
-    'detail' : """Unable to query the backend.  LDAP error (ERROR)""",
a26cad
-    'fix' : """Check the server's error and access logs for more information."""
a26cad
+    'description': 'Unable to query backend.',
a26cad
+    'items': [],
a26cad
+    'detail': """Unable to query the backend.  LDAP error (ERROR)""",
a26cad
+    'fix': """Check the server's error and access logs for more information."""
a26cad
 }
a26cad
 
a26cad
 DSBLE0003 = {
a26cad
     'dsle': 'DSBLE0003',
a26cad
     'severity': 'LOW',
a26cad
-    'items' : [],
a26cad
-    'detail' : """The backend database has not been initialized yet""",
a26cad
-    'fix' : """You need to import an LDIF file, or create the suffix entry, in order to initialize the database."""
a26cad
+    'description': 'Uninitialized backend database.',
a26cad
+    'items': [],
a26cad
+    'detail': """The backend database has not been initialized yet""",
a26cad
+    'fix': """You need to import an LDIF file, or create the suffix entry, in order to initialize the database."""
a26cad
 }
a26cad
 
a26cad
 # Config checks
a26cad
 DSCLE0001 = {
a26cad
-    'dsle' : 'DSCLE0001',
a26cad
-    'severity' : 'LOW',
a26cad
+    'dsle': 'DSCLE0001',
a26cad
+    'severity': 'LOW',
a26cad
+    'description': 'Different log timestamp format.',
a26cad
     'items': ['cn=config', ],
a26cad
-    'detail' : """nsslapd-logging-hr-timestamps-enabled changes the log format in directory server from
a26cad
+    'detail': """nsslapd-logging-hr-timestamps-enabled changes the log format in directory server from
a26cad
 
a26cad
 [07/Jun/2017:17:15:58 +1000]
a26cad
 
a26cad
@@ -70,7 +74,7 @@ to
a26cad
 This actually provides a performance improvement. Additionally, this setting will be
a26cad
 removed in a future release.
a26cad
 """,
a26cad
-    'fix' : """Set nsslapd-logging-hr-timestamps-enabled to on.
a26cad
+    'fix': """Set nsslapd-logging-hr-timestamps-enabled to on.
a26cad
 You can use 'dsconf' to set this attribute.  Here is an example:
a26cad
 
a26cad
     # dsconf slapd-YOUR_INSTANCE config replace nsslapd-logging-hr-timestamps-enabled=on"""
a26cad
@@ -79,8 +83,9 @@ You can use 'dsconf' to set this attribute.  Here is an example:
a26cad
 DSCLE0002 = {
a26cad
     'dsle': 'DSCLE0002',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['cn=config', ],
a26cad
-    'detail' : """Password storage schemes in Directory Server define how passwords are hashed via a
a26cad
+    'description': 'Weak passwordStorageScheme.',
a26cad
+    'items': ['cn=config', ],
a26cad
+    'detail': """Password storage schemes in Directory Server define how passwords are hashed via a
a26cad
 one-way mathematical function for storage. Knowing the hash it is difficult to gain
a26cad
 the input, but knowing the input you can easily compare the hash.
a26cad
 
a26cad
@@ -112,14 +117,15 @@ You can also use 'dsconf' to replace these values.  Here is an example:
a26cad
 DSELE0001 = {
a26cad
     'dsle': 'DSELE0001',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['cn=encryption,cn=config', ],
a26cad
+    'description': 'Weak TLS protocol version.',
a26cad
+    'items': ['cn=encryption,cn=config', ],
a26cad
     'detail': """This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to
a26cad
 have a number of issues with the protocol. Please see:
a26cad
 
a26cad
 https://tools.ietf.org/html/rfc7457
a26cad
 
a26cad
 It is advised you set this value to the maximum possible.""",
a26cad
-    'fix' : """There are two options for setting the TLS minimum version allowed.  You,
a26cad
+    'fix': """There are two options for setting the TLS minimum version allowed.  You,
a26cad
 can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0"
a26cad
 You can also use 'dsconf' to set this value.  Here is an example:
a26cad
 
a26cad
@@ -137,7 +143,8 @@ minimum version, but doing this affects the entire system:
a26cad
 DSRILE0001 = {
a26cad
     'dsle': 'DSRILE0001',
a26cad
     'severity': 'LOW',
a26cad
-    'items' : ['cn=referential integrity postoperation,cn=plugins,cn=config', ],
a26cad
+    'description': 'Referential integrity plugin may be slower.',
a26cad
+    'items': ['cn=referential integrity postoperation,cn=plugins,cn=config', ],
a26cad
     'detail': """The referential integrity plugin has an asynchronous processing mode.
a26cad
 This is controlled by the update-delay flag.  When this value is 0, referential
a26cad
 integrity plugin processes these changes inside of the operation that modified
a26cad
@@ -151,7 +158,7 @@ delays to your server by batching changes rather than smaller updates during syn
a26cad
 
a26cad
 We advise that you set this value to 0, and enable referint on all masters as it provides a more predictable behaviour.
a26cad
 """,
a26cad
-    'fix' : """Set referint-update-delay to 0.
a26cad
+    'fix': """Set referint-update-delay to 0.
a26cad
 
a26cad
 You can use 'dsconf' to set this value.  Here is an example:
a26cad
 
a26cad
@@ -164,12 +171,13 @@ You must restart the Directory Server for this change to take effect."""
a26cad
 DSRILE0002 = {
a26cad
     'dsle': 'DSRILE0002',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['cn=referential integrity postoperation,cn=plugins,cn=config'],
a26cad
+    'description': 'Referential integrity plugin configured with unindexed attribute.',
a26cad
+    'items': ['cn=referential integrity postoperation,cn=plugins,cn=config'],
a26cad
     'detail': """The referential integrity plugin is configured to use an attribute (ATTR)
a26cad
 that does not have an "equality" index in backend (BACKEND).
a26cad
 Failure to have the proper indexing will lead to unindexed searches which
a26cad
 cause high CPU and can significantly slow the server down.""",
a26cad
-    'fix' : """Check the attributes set in "referint-membership-attr" to make sure they have
a26cad
+    'fix': """Check the attributes set in "referint-membership-attr" to make sure they have
a26cad
 an index defined that has at least the equality "eq" index type.  You will
a26cad
 need to reindex the database after adding the missing index type. Here is an
a26cad
 example using dsconf:
a26cad
@@ -182,12 +190,13 @@ example using dsconf:
a26cad
 DSDSLE0001 = {
a26cad
     'dsle': 'DSDSLE0001',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['Server', 'cn=config'],
a26cad
+    'description': 'Low disk space.',
a26cad
+    'items': ['Server', 'cn=config'],
a26cad
     'detail': """The disk partition used by the server (PARTITION), either for the database, the
a26cad
 configuration files, or the logs is over 90% full.  If the partition becomes
a26cad
 completely filled serious problems can occur with the database or the server's
a26cad
 stability.""",
a26cad
-    'fix' : """Attempt to free up disk space.  Also try removing old rotated logs, or disable any
a26cad
+    'fix': """Attempt to free up disk space.  Also try removing old rotated logs, or disable any
a26cad
 verbose logging levels that might have been set.  You might consider enabling
a26cad
 the "Disk Monitoring" feature in cn=config to help prevent a disorderly shutdown
a26cad
 of the server:
a26cad
@@ -210,9 +219,10 @@ Please see the Administration guide for more information:
a26cad
 DSREPLLE0001 = {
a26cad
     'dsle': 'DSREPLLE0001',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['Replication', 'Agreement'],
a26cad
+    'description': 'Replication agreement not set to be synchronized.',
a26cad
+    'items': ['Replication', 'Agreement'],
a26cad
     'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization.""",
a26cad
-    'fix' : """You may need to reinitialize this replication agreement.  Please check the errors
a26cad
+    'fix': """You may need to reinitialize this replication agreement.  Please check the errors
a26cad
 log for more information.  If you do need to reinitialize the agreement you can do so
a26cad
 using dsconf.  Here is an example:
a26cad
 
a26cad
@@ -223,9 +233,10 @@ using dsconf.  Here is an example:
a26cad
 DSREPLLE0002 = {
a26cad
     'dsle': 'DSREPLLE0002',
a26cad
     'severity': 'LOW',
a26cad
-    'items' : ['Replication', 'Conflict Entries'],
a26cad
+    'description': 'Replication conflict entries found.',
a26cad
+    'items': ['Replication', 'Conflict Entries'],
a26cad
     'detail': "There were COUNT conflict entries found under the replication suffix \"SUFFIX\".",
a26cad
-    'fix' : """While conflict entries are expected to occur in an MMR environment, they
a26cad
+    'fix': """While conflict entries are expected to occur in an MMR environment, they
a26cad
 should be resolved.  In regards to conflict entries there is always the original/counterpart
a26cad
 entry that has a normal DN, and then the conflict version of that entry.  Technically both
a26cad
 entries are valid, you as the administrator, needs to decide which entry you want to keep.
a26cad
@@ -253,38 +264,42 @@ can use the CLI tool "dsconf" to resolve the conflict.  Here is an example:
a26cad
 DSREPLLE0003 = {
a26cad
     'dsle': 'DSREPLLE0003',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['Replication', 'Agreement'],
a26cad
+    'description': 'Unsynchronized replication agreement.',
a26cad
+    'items': ['Replication', 'Agreement'],
a26cad
     'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization.
a26cad
 Status message: MSG""",
a26cad
-    'fix' : """Replication is not in synchronization but it may recover.  Continue to
a26cad
+    'fix': """Replication is not in synchronization but it may recover.  Continue to
a26cad
 monitor this agreement."""
a26cad
 }
a26cad
 
a26cad
 DSREPLLE0004 = {
a26cad
     'dsle': 'DSREPLLE0004',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['Replication', 'Agreement'],
a26cad
+    'description': 'Unable to get replication agreement status.',
a26cad
+    'items': ['Replication', 'Agreement'],
a26cad
     'detail': """Failed to get the agreement status for agreement (AGMT) under "SUFFIX".  Error (ERROR).""",
a26cad
-    'fix' : """None"""
a26cad
+    'fix': """None"""
a26cad
 }
a26cad
 
a26cad
 DSREPLLE0005 = {
a26cad
     'dsle': 'DSREPLLE0005',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['Replication', 'Agreement'],
a26cad
+    'description': 'Replication consumer not reachable.',
a26cad
+    'items': ['Replication', 'Agreement'],
a26cad
     'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization,
a26cad
 because the consumer server is not reachable.""",
a26cad
-    'fix' : """Check if the consumer is running, and also check the errors log for more information."""
a26cad
+    'fix': """Check if the consumer is running, and also check the errors log for more information."""
a26cad
 }
a26cad
 
a26cad
 # Replication changelog
a26cad
 DSCLLE0001 = {
a26cad
     'dsle': 'DSCLLE0001',
a26cad
     'severity': 'LOW',
a26cad
-    'items' : ['Replication', 'Changelog'],
a26cad
+    'description': 'Changelog trimming not configured.',
a26cad
+    'items': ['Replication', 'Changelog'],
a26cad
     'detail': """The replication changelog does have any kind of trimming configured.  This will
a26cad
 lead to the changelog size growing indefinitely.""",
a26cad
-    'fix' : """Configure changelog trimming, preferably by setting the maximum age of a changelog
a26cad
+    'fix': """Configure changelog trimming, preferably by setting the maximum age of a changelog
a26cad
 record.  Here is an example:
a26cad
 
a26cad
     # dsconf slapd-YOUR_INSTANCE replication set-changelog --max-age 30d"""
a26cad
@@ -294,27 +309,30 @@ record.  Here is an example:
a26cad
 DSCERTLE0001 = {
a26cad
     'dsle': 'DSCERTLE0001',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['Expiring Certificate'],
a26cad
+    'description': 'Certificate about to expire.',
a26cad
+    'items': ['Expiring Certificate'],
a26cad
     'detail': """The certificate (CERT) will expire in less than 30 days""",
a26cad
-    'fix' : """Renew the certificate before it expires to prevent disruptions with TLS connections."""
a26cad
+    'fix': """Renew the certificate before it expires to prevent disruptions with TLS connections."""
a26cad
 }
a26cad
 
a26cad
 DSCERTLE0002 = {
a26cad
     'dsle': 'DSCERTLE0002',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['Expired Certificate'],
a26cad
+    'description': 'Certificate expired.',
a26cad
+    'items': ['Expired Certificate'],
a26cad
     'detail': """The certificate (CERT) has expired""",
a26cad
-    'fix' : """Renew or remove the certificate."""
a26cad
+    'fix': """Renew or remove the certificate."""
a26cad
 }
a26cad
 
a26cad
 # Virtual Attrs & COS.  Note - ATTR and SUFFIX are replaced by the reporting function
a26cad
 DSVIRTLE0001 = {
a26cad
     'dsle': 'DSVIRTLE0001',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['Virtual Attributes'],
a26cad
+    'description': 'Virtual attribute indexed.',
a26cad
+    'items': ['Virtual Attributes'],
a26cad
     'detail': """You should not index virtual attributes, and as this will break searches that
a26cad
 use the attribute in a filter.""",
a26cad
-    'fix' : """Remove the index for this attribute from the backend configuration.
a26cad
+    'fix': """Remove the index for this attribute from the backend configuration.
a26cad
 Here is an example using 'dsconf' to remove an index:
a26cad
 
a26cad
     # dsconf slapd-YOUR_INSTANCE backend index delete --attr ATTR SUFFIX"""
a26cad
@@ -324,10 +342,11 @@ Here is an example using 'dsconf' to remove an index:
a26cad
 DSPERMLE0001 = {
a26cad
     'dsle': 'DSPERMLE0001',
a26cad
     'severity': 'MEDIUM',
a26cad
-    'items' : ['File Permissions'],
a26cad
+    'description': 'Incorrect file permissions.',
a26cad
+    'items': ['File Permissions'],
a26cad
     'detail': """The file "FILE" does not have the expected permissions (PERMS).  This
a26cad
 can cause issues with replication and chaining.""",
a26cad
-    'fix' : """Change the file permissions:
a26cad
+    'fix': """Change the file permissions:
a26cad
 
a26cad
     # chmod PERMS FILE"""
a26cad
 }
a26cad
@@ -336,10 +355,11 @@ can cause issues with replication and chaining.""",
a26cad
 DSPERMLE0002 = {
a26cad
     'dsle': 'DSPERMLE0002',
a26cad
     'severity': 'HIGH',
a26cad
-    'items' : ['File Permissions'],
a26cad
+    'description': 'Incorrect security database file permissions.',
a26cad
+    'items': ['File Permissions'],
a26cad
     'detail': """The file "FILE" does not have the expected permissions (PERMS).  The
a26cad
 security database pin/password files should only be readable by Directory Server user.""",
a26cad
-    'fix' : """Change the file permissions:
a26cad
+    'fix': """Change the file permissions:
a26cad
 
a26cad
     # chmod PERMS FILE"""
a26cad
 }
a26cad
@@ -348,11 +368,12 @@ security database pin/password files should only be readable by Directory Server
a26cad
 DSSKEWLE0001 = {
a26cad
     'dsle': 'DSSKEWLE0001',
a26cad
     'severity': 'Low',
a26cad
-    'items' : ['Replication'],
a26cad
+    'description': 'Medium time skew.',
a26cad
+    'items': ['Replication'],
a26cad
     'detail': """The time skew is over 6 hours.  If this time skew continues to increase
a26cad
 to 24 hours then replication can potentially stop working.  Please continue to
a26cad
 monitor the time skew offsets for increasing values.""",
a26cad
-    'fix' : """Monitor the time skew and avoid making changes to the system time.
a26cad
+    'fix': """Monitor the time skew and avoid making changes to the system time.
a26cad
 Also look at https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/managing_replication-troubleshooting_replication_related_problems
a26cad
 and find the paragraph "Too much time skew"."""
a26cad
 }
a26cad
@@ -360,13 +381,14 @@ and find the paragraph "Too much time skew"."""
a26cad
 DSSKEWLE0002 = {
a26cad
     'dsle': 'DSSKEWLE0002',
a26cad
     'severity': 'Medium',
a26cad
-    'items' : ['Replication'],
a26cad
+    'description': 'Major time skew.',
a26cad
+    'items': ['Replication'],
a26cad
     'detail': """The time skew is over 12 hours.  If this time skew continues to increase
a26cad
 to 24 hours then replication can potentially stop working.  Please continue to
a26cad
 monitor the time skew offsets for increasing values.  Setting nsslapd-ignore-time-skew
a26cad
 to "on" on each replica will allow replication to continue, but if the time skew
a26cad
 continues to increase other more serious replication problems can occur.""",
a26cad
-    'fix' : """Monitor the time skew and avoid making changes to the system time.
a26cad
+    'fix': """Monitor the time skew and avoid making changes to the system time.
a26cad
 If you get close to 24 hours of time skew replication may stop working.
a26cad
 In that case configure the server to ignore the time skew until the system
a26cad
 times can be fixed/synchronized:
a26cad
@@ -380,12 +402,13 @@ and find the paragraph "Too much time skew"."""
a26cad
 DSSKEWLE0003 = {
a26cad
     'dsle': 'DSSKEWLE0003',
a26cad
     'severity': 'High',
a26cad
-    'items' : ['Replication'],
a26cad
+    'description': 'Extensive time skew.',
a26cad
+    'items': ['Replication'],
a26cad
     'detail': """The time skew is over 24 hours.  Setting nsslapd-ignore-time-skew
a26cad
 to "on" on each replica will allow replication to continue, but if the
a26cad
 time skew continues to increase other serious replication problems can
a26cad
 occur.""",
a26cad
-    'fix' : """Avoid making changes to the system time, and make sure the clocks
a26cad
+    'fix': """Avoid making changes to the system time, and make sure the clocks
a26cad
 on all the replicas are correct.  If you haven't set the server's
a26cad
 "ignore time skew" setting then do the following on all the replicas
a26cad
 until the time issues have been resolved:
a26cad
diff --git a/src/lib389/lib389/monitor.py b/src/lib389/lib389/monitor.py
a26cad
index 73750c3c2..4ac7d7174 100644
a26cad
--- a/src/lib389/lib389/monitor.py
a26cad
+++ b/src/lib389/lib389/monitor.py
a26cad
@@ -358,7 +358,10 @@ class MonitorDiskSpace(DSLdapObject):
a26cad
     def __init__(self, instance, dn=None):
a26cad
         super(MonitorDiskSpace, self).__init__(instance=instance, dn=dn)
a26cad
         self._dn = "cn=disk space,cn=monitor"
a26cad
-        self._lint_functions = [self._lint_disk_space]
a26cad
+
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'monitor-disk-space'
a26cad
 
a26cad
     def _lint_disk_space(self):
a26cad
         partitions = self.get_attr_vals_utf8_l("dsDisk")
a26cad
diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py
a26cad
index d14e7ce6f..e257424fd 100644
a26cad
--- a/src/lib389/lib389/nss_ssl.py
a26cad
+++ b/src/lib389/lib389/nss_ssl.py
a26cad
@@ -21,6 +21,7 @@ import subprocess
a26cad
 from datetime import datetime, timedelta
a26cad
 from subprocess import check_output, run, PIPE
a26cad
 from lib389.passwd import password_generate
a26cad
+from lib389._mapped_object_lint import DSLint
a26cad
 from lib389.lint import DSCERTLE0001, DSCERTLE0002
a26cad
 from lib389.utils import ensure_str, format_cmd_list
a26cad
 import uuid
a26cad
@@ -42,7 +43,7 @@ VALID_MIN = 61  # Days
a26cad
 log = logging.getLogger(__name__)
a26cad
 
a26cad
 
a26cad
-class NssSsl(object):
a26cad
+class NssSsl(DSLint):
a26cad
     def __init__(self, dirsrv=None, dbpassword=None, dbpath=None):
a26cad
         self.dirsrv = dirsrv
a26cad
         self._certdb = dbpath
a26cad
@@ -56,18 +57,14 @@ class NssSsl(object):
a26cad
         else:
a26cad
             self.dbpassword = dbpassword
a26cad
 
a26cad
-        self.db_files = {"dbm_backend": ["%s/%s" % (self._certdb, f) for f in ("key3.db", "cert8.db", "secmod.db")],
a26cad
-                         "sql_backend": ["%s/%s" % (self._certdb, f) for f in ("key4.db", "cert9.db", "pkcs11.txt")],
a26cad
-                         "support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", PIN_TXT, PWD_TXT)]}
a26cad
-        self._lint_functions = [self._lint_certificate_expiration,]
a26cad
-
a26cad
-    def lint(self):
a26cad
-        results = []
a26cad
-        for fn in self._lint_functions:
a26cad
-            for result in fn():
a26cad
-                if result is not None:
a26cad
-                    results.append(result)
a26cad
-        return results
a26cad
+        self.db_files = {group: [f"{self._certdb}/{f}" for f in files]
a26cad
+                         for group, files in {"dbm_backend": ("key3.db", "cert8.db", "secmod.db"),
a26cad
+                                              "sql_backend": ("key4.db", "cert9.db", "pkcs11.txt"),
a26cad
+                                              "support": ("noise.txt", PIN_TXT, PWD_TXT)}.items()}
a26cad
+
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'ssl'
a26cad
 
a26cad
     def _lint_certificate_expiration(self):
a26cad
         """Check all the certificates in the db if they will expire within 30 days
a26cad
diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
a26cad
index f68a1d114..89e660287 100644
a26cad
--- a/src/lib389/lib389/plugins.py
a26cad
+++ b/src/lib389/lib389/plugins.py
a26cad
@@ -431,7 +431,6 @@ class ReferentialIntegrityPlugin(Plugin):
a26cad
             'referint-logfile',
a26cad
             'referint-membership-attr',
a26cad
         ])
a26cad
-        self._lint_functions = [self._lint_update_delay, self._lint_attr_indexes]
a26cad
 
a26cad
     def create(self, rdn=None, properties=None, basedn=None):
a26cad
         """Create an instance of the plugin"""
a26cad
@@ -443,6 +442,10 @@ class ReferentialIntegrityPlugin(Plugin):
a26cad
             properties['referint-logfile'] = referint_log
a26cad
         return super(ReferentialIntegrityPlugin, self).create(rdn, properties, basedn)
a26cad
 
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'refint'
a26cad
+
a26cad
     def _lint_update_delay(self):
a26cad
         if self.status():
a26cad
             delay = self.get_attr_val_int("referint-update-delay")
a26cad
diff --git a/src/lib389/lib389/replica.py b/src/lib389/lib389/replica.py
a26cad
index f8adb3ce2..f575e58d5 100644
a26cad
--- a/src/lib389/lib389/replica.py
a26cad
+++ b/src/lib389/lib389/replica.py
a26cad
@@ -1049,7 +1049,10 @@ class Changelog5(DSLdapObject):
a26cad
                 'extensibleobject',
a26cad
             ]
a26cad
         self._protected = False
a26cad
-        self._lint_functions = [self._lint_cl_trimming]
a26cad
+
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'changelog'
a26cad
 
a26cad
     def _lint_cl_trimming(self):
a26cad
         """Check that cl trimming is at least defined to prevent unbounded growth"""
a26cad
@@ -1120,7 +1123,10 @@ class Replica(DSLdapObject):
a26cad
             self._create_objectclasses.append('extensibleobject')
a26cad
         self._protected = False
a26cad
         self._suffix = None
a26cad
-        self._lint_functions = [self._lint_agmts_status, self._lint_conflicts]
a26cad
+
a26cad
+    @classmethod
a26cad
+    def lint_uid(cls):
a26cad
+        return 'replication'
a26cad
 
a26cad
     def _lint_agmts_status(self):
a26cad
         replicas = Replicas(self._instance).list()
a26cad
diff --git a/src/lib389/lib389/tests/mapped_object_lint_test.py b/src/lib389/lib389/tests/mapped_object_lint_test.py
a26cad
new file mode 100644
a26cad
index 000000000..a4ca0ea3c
a26cad
--- /dev/null
a26cad
+++ b/src/lib389/lib389/tests/mapped_object_lint_test.py
a26cad
@@ -0,0 +1,78 @@
a26cad
+from typing import List
a26cad
+
a26cad
+import pytest
a26cad
+
a26cad
+from lib389._mapped_object_lint import (
a26cad
+    DSLint,
a26cad
+    DSLints,
a26cad
+    DSLintMethodSpec
a26cad
+)
a26cad
+
a26cad
+
a26cad
+def test_dslint():
a26cad
+    class DS(DSLint):
a26cad
+        def lint_uid(self) -> str:
a26cad
+            return self.param
a26cad
+
a26cad
+        def __init__(self, param):
a26cad
+            self.param = param
a26cad
+            self.suffixes = ['suffixA', 'suffixB']
a26cad
+
a26cad
+        def _lint_nsstate(self, spec: DSLintMethodSpec = None):
a26cad
+            if spec == List:
a26cad
+                yield from self.suffixes
a26cad
+            else:
a26cad
+                to_lint = [spec] if spec else self._lint_nsstate(spec=List)
a26cad
+                for tl in to_lint:
a26cad
+                    if tl == 'suffixA':
a26cad
+                        pass
a26cad
+                    elif tl == 'suffixB':
a26cad
+                        yield 'suffixB is bad'
a26cad
+                    else:
a26cad
+                        raise ValueError('There is no such suffix')
a26cad
+
a26cad
+        def _lint_second(self):
a26cad
+            yield from ()
a26cad
+
a26cad
+        def _lint_third(self):
a26cad
+            yield from ['this is a fail']
a26cad
+
a26cad
+    class DSs(DSLints):
a26cad
+        def list(self):
a26cad
+            for i in [DS("ma"), DS("mb")]:
a26cad
+                yield i
a26cad
+
a26cad
+    # single
a26cad
+    inst = DS("a")
a26cad
+    inst_lints = {'nsstate:suffixA', 'nsstate:suffixB', 'second', 'third'}
a26cad
+
a26cad
+    assert inst.param == "a"
a26cad
+
a26cad
+    assert set(dict(inst.lint_list()).keys()) == inst_lints
a26cad
+
a26cad
+    assert set(dict(inst.lint_list('nsstate')).keys()) \
a26cad
+        == {f'nsstate:suffix{s}' for s in "AB"}
a26cad
+
a26cad
+    assert list(inst._lint_nsstate(spec=List)) == ['suffixA', 'suffixB']
a26cad
+    assert list(inst.lint()) == ['suffixB is bad', 'this is a fail']
a26cad
+
a26cad
+    assert list(inst.lint('nsstate')) == ['suffixB is bad']
a26cad
+    assert list(inst.lint('nsstate:suffixA')) == []
a26cad
+    assert list(inst.lint('nsstate:suffixB')) == ['suffixB is bad']
a26cad
+    with pytest.raises(ValueError):
a26cad
+        list(inst.lint('nonexistent'))
a26cad
+
a26cad
+    # multiple
a26cad
+    insts = DSs()
a26cad
+
a26cad
+    assert insts.lint_list
a26cad
+    assert insts.lint
a26cad
+
a26cad
+    assert set(dict(insts.lint_list()).keys()) \
a26cad
+        == {f'{m}:{s}' for m in ['ma', 'mb'] for s in inst_lints}
a26cad
+    assert set(dict(insts.lint_list('*')).keys()) \
a26cad
+        == {f'{m}:{s}' for m in ['ma', 'mb'] for s in inst_lints}
a26cad
+    assert set(dict(insts.lint_list('*:nsstate')).keys()) \
a26cad
+        == {f'{m}:nsstate:suffix{s}' for m in ['ma', 'mb'] for s in "AB"}
a26cad
+    assert set(dict(insts.lint_list('mb:nsstate')).keys()) \
a26cad
+        == {f'mb:nsstate:suffix{s}' for s in "AB"}
a26cad
-- 
a26cad
2.26.2
a26cad