3.2.0: dynamic_home_servers ?

Alan DeKok aland at deployingradius.com
Wed Jun 1 13:14:39 UTC 2022 

On May 31, 2022, at 11:17 AM, Stefan Winter <stefan.winter at restena.lu> wrote:
> so the whole test
> 
> |%{home_server_dynamic:%{1}} |
> 
> really means "does a home_server with the stanza name %{1} exist, either in the list of home_servers defined in proxy.conf -> expands to 0; or in the home_servers/* list -> expands to 1; or nowhere -> expands to <nothing>.

  Yes.

> So I'd have to rename my server_x home_server stanzas inside realms.conf to the realm they serve to make that match, and get my "case 0" out of it.

  That should work, yes.

> Real life has the complication though that one such home_server serves multiple realms. But the stanza can have only one name. I guess so long as stanzas with different names (=matching realms) can exist with the same destination server IP inside, that can be done. But then still this is not as flexible as realms.conf, e.g. regex realm matches are missing etc. (and not having a _pool hurts too)

  That is definitely a problem.  The dynamic home servers are just that... home servers, and only home servers.  :(

  For now it's too hard to add dynamic pools of home servers.  And I don't think there's ever a reason to mix statically defined home servers, and dynamically defined home servers for the same realm / pool.

> So, the workaround I referred to earlier, about checking whether suffix has already found something and then not going dynamic, is maybe the better option after all.

  Yes.

  If there are additional features which could help, that's easy enough to add.  Maybe perhaps relaxing the restrictions on home server names, and then adding some new configuration which says "this home server is for realm FOO".   Even something like the following might work:

* add a list of dynamically mapped realms -> home servers.  The home servers can be named anything

* read in a dynamic home server from raddb/home_servers/,
  * the filename is the realm / domain name
  * the "home_server NAME { ... }" can be anything, we don't care about it

* there can be multiple soft links to the same file, in which case each filename maps to a realm, which uses the same home server.


  I think that's compatible with the existing scheme.  And should be a bit more useful.

  It still doesn't get pools of home servers, or failover, but it is a step forwards.

  Alan DeKok.

More information about the Freeradius-Users mailing list