[RFC] xlat module return codes

Alexander Clouter alex at digriz.org.uk
Tue Sep 2 01:48:19 CEST 2008


Hi,

Our LDAP servers died horribly today, this Novell 'resilence' malarkey
must have taken a page from the MySQL developers active-active failover
coding cribsheet, so that when one LDAP server goes down they all do;
however I digress....

Before everything was really dead in the water I actually noticed that
although one of the two LDAP servers was dead-dead (socket closed,
connection refused and all), FreeRADIUS was not registering this and
said "noop"'s all over the debug.  As a result she kept reattempting
connections to these known bad servers.

Not good :(

Digging around more I found this is because I do all our fancy stuff
in xlat's and it's xlat that is dishing out NOOP's like they are going
out of fashion.

So I present to the world my after-two-pints and next-to-zero-testing
patch to resolve these problems and let us put xlat's and resilence
into our lives.

http://stuff.digriz.org.uk/freeradius/xlat-retcode.diff

So I call upon guinea pigs to look at the rather invasive patch I have
thrown together, Alan might want to avert his eyes, seems to work for
LDAP...although as everything is currently shafted at work I cannot be
certain.

So to use this and get xlate resilence (in the case of LDAP for example),
put in post-auth/authorize/kitchen-sink{}

========
redundant-load-balance {
  ldap1_stuff
  ldap2_stuff
}
========

then give yourself a handful of attr_rewrite chunks:
========
attr_rewrite ldap1_stuff {
        attribute = Tmp-String-1
        searchin = control
        searchfor = "^.*$"
        replacewith = "%{ldap_server1:ldap:///ou=Hosts,ou=LanWarden,o=soas?dn?sub?(&(objectClass=lanwardenHost)(lanwardenHostState=enable)(cn=%{Calling-Station-Id})%{control:Tmp-String-0})}"
        new_attribute = yes
        max_matches = 1
        append = no
}
attr_rewrite ldap2_stuff {
	[ditto]
	replacewith = "%{ldap_server2:ldap:///.....}"
}
=======

Hopefully now you will see a few less noop's in your freeradius debug's
when your LDAP servers show their true colours and failover begins to
work.

This patch was put together as I found myself in the horrible situation
where Alan kept telling me "stop using attr_rewrite and use unlang"
followed swiftly by "yeah, unlang plus redundant-load-balance is a
no-no".  Thats tough love for you I guess :)

Word of warning, this patch is likely to break lots of things.  I am
probably going to find bugs ahoy tomorrow and later in the week so if
anyone wants updates to the patch to tinker with mail me and I'll keep
you in the loop.  

Now all we need is xlat+virtual modules[1]...

Cheers

Alex

[1] http://lists.freeradius.org/mailman/htdig/freeradius-users/2007-May/msg00527.html




More information about the Freeradius-Devel mailing list