ldap redundant-load-balance issue
Brian Julin
BJulin at clarku.edu
Thu Apr 19 15:46:33 CEST 2012
> -----Original Message-----
> Tobias Hachmer
>
> Am 19.04.2012 13:44, schrieb Alan DeKok:
> > Tobias Hachmer wrote:
> >> During FreeRADIUS performance test as described in
> >> /usr/share/doc/freeradius/performance-testing.gz I noticed that FR
> >> does
> >> for the ldap-group query above (Ldap-Group ==
> >> "cn=radius.users,ou=Groups,dc=test,dc=local") no load-balancing or
> >> fall-through to other ldap modules. Every time only ldap module
> >> ldap3 is
> >> taken to do this ldap-group query.
> >
> > That's how it works. The LDAP-Group queries are not load balanced.
>
> Hmm, but then there is no big benefit instantiating multiple ldap
> modules inside a redundant-load-balance group.
> I recognized that the last referred module inside the group is taken to
> do the query. Can I affect this in a different way as changing the
> order?
Create a single RRDNS entry for your LDAP servers and use a single
LDAP definition. The DNS name(s) in the LDAP definition is sent to
directly to the underlying LDAP library and should be looked up for
each connection instantiated; FreeRADIUS does not resolve it
internally before use, even when using LDAPS.
You can also enter the RRDNS entry multiple times in a space
separated string, which should allow for statistically probable
failover, e.g.:
ldap rrdns_ldap {
# If 1/2 servers are down this should only fail 1/8th of the time
server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site"
...
}
(Whether that works may depend on the internal implementation of
the LDAP libraries and/or the way DNS is set up on the server on which
FreeRADIUS is running.)
This all assumes there are no differences in the schema used between
the servers, though.
More information about the Freeradius-Users
mailing list