load balancing and if statements

Brian Julin BJulin at clarku.edu
Fri Apr 6 22:03:12 CEST 2012 

> Alan DeKok wrote:
> Scott McLane Gardner wrote:
> > So, now I'm confused again. If this doesn¹t load balance, then how should
> > I really be going about this?
> 
>   It's hard.

Actually, on some further reading, it might not be: the LDAP library/DNS may
take care of this instead of requiring special attention on the FreeRADIUS end.

Firstly, for redundancy (and I tested this and it seems to work) ldap_init
allows a space separated list of hostnames which will be tried in order.
FreeRADIUS just passes this string through and the LDAP libraries seem
to be happy about that.  The only rough edge is, cosmetically, the debug
log statement appends ":<port>" which ends up looking like the port
designation belongs just to the last host.  There might also be trouble
between FreeRADIUS config syntax (with separate port) and the fact
that the LDAP libraries also allow ":<port>" appendixes on each of the
space-separated hostnames;  that I did not test.

For load-balancing (this I have not tested) a round-robin DNS for the LDAP
servername may result in connections load balancing.  Really this depends
on the DNS caching behavior inside the LDAP library and on the host OS,
but my impression is that by and large LDAP libraries treat DNS lookups sanely
as a volatile item that needs to be re-loaded on re-use (there are Mozilla
tickets wrestling with this for their LDAP re-implementation some years back,
so even that lib might be OK.)

At worst FreeRADIUS might need to add some fuzzing/connection-limits
so that connections are regularly torn down and re-established, but not
all at once, to force multiple DNS lookups when the server is started/hupped.
If someone needs finer grained balancing, perhaps randomizing the
connection pool selection may be needed.

Also not tested is the space-separated multi-url form that goes through
ldap_initialize instead of ldap_init, but openldap docs say that is supported
as well.

So if that works, the only reason someone would still need to do r-l-m
tricks is if they need to validate TLS certs and the LDAP servers are not
presenting the round-robin name and cannot be fixed to do so.

More information about the Freeradius-Users mailing list