ldap redundant-load-balance issue

[Brian Julin]

Tobias Hachmer wrote:
> Am 19.04.2012 15:46, schrieb Brian Julin:
> > Create a single RRDNS entry for your LDAP servers and use a single
> > LDAP definition.  The DNS name(s) in the LDAP definition is sent to
> > directly to the underlying LDAP library and should be looked up for
> > each connection instantiated; FreeRADIUS does not resolve it
> > internally before use, even when using LDAPS.
> >
> > You can also enter the RRDNS entry multiple times in a space
> > separated string, which should allow for statistically probable
> > failover, e.g.:
> >
> > ldap rrdns_ldap {
> >   # If 1/2 servers are down this should only fail 1/8th of the time
> >    server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site"
> >    ...
> > }
> 
> Thanks for that suggestion. Sounds quite simple to achieve fail-over
> for ldap-queries.
> But I have one problem when I enter my ldap servers like you mentioned
> because the common name in the ldap server certificate won't match the
> new defined dns name.

Yes we use a certificate with alternate names for this.  Not sure what the
tweaking options are as far as OpenLDAP's certificate verification process...

> I will test this scenario with the following configuration:
> 
> server = "ldap1.test.local ldap2.test.local ldap3.test.local"

The OpenLDAP documentation states that space separated host
lists are tried in order, so this would always use ldap1, unless the
ldap1 host lookup failed.  (An utter hack, if you are locked into the
certs you have, would be to cause it to fail occasionally on purpose
using iptables.)

> Perhaps I can still use multiple ldap modules and adapt only the server
> directive of the last ldap module (or all ldap modules) in
> redundant-load-balance group to the format you have mentioned.

I don't see why this would not work; and should allow the initial
(non-xlat, non-ldap-group) queries to balance more granularly.