Ldap DNS SRV record support

[Arran Cudbard-Bell]

> On 12 Oct 2017, at 00:56, Dave Macias <davama at gmail.com> wrote:
> 
> Thank you all for the replies! This has been very insightful
> 
>> Sure.  Feel free to send a patch which adds this functionality.
> 
> Hopefully someone capable does... :) (help me obi-wan! you're my only hope)

Alan knows no one has any hope of producing such a patch. The code in rlm_ldap simply isn't setup to do this kind of dynamic connection/pool creation.

There are no issues with resolving DNS entries on startup, many people do it, this issue is with dynamically creating the connections as a result of that resolution.

The only module which does anything like what you describe is rlm_redis in v4.0.x which dynamically discovers the cluster nodes from one or more 'bootstrap' nodes.

The only way I could see this being implemented is as a side effect of efficient referral following. If we had a facility to keep persistent connections to servers we'd been referred to, we could also co-opt that infrastructure for runtime server resolution.

One alternative way of implementing this would be adding an exec style expansion on startup e.g. $SHELL{<program>}.  If the number of servers didn't change then that'd work.
That at least gets you some dynamic server resolution, but it obviously wouldn't work for referrals, which is where I see this sort of thing being far more useful.


>> just use an LDAP connection pool - define all 3 servers as a load
>> balanced redundant array and then the server will
>> know the state of all three
> 
> Gonna look into this for now :)

Yeah if all you want is redundancy, just do that. Or in v3.0.x you can even specify multiple "server" config items. That'll be gone in v4.0.x though.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2