3.2.0: dynamic_home_servers ?

Stefan Winter stefan.winter at restena.lu
Tue May 31 15:17:16 UTC 2022 

Okay,


so the whole test

|%{home_server_dynamic:%{1}} |

really means "does a home_server with the stanza name %{1} exist, either 
in the list of home_servers defined in proxy.conf -> expands to 0; or in 
the home_servers/* list -> expands to 1; or nowhere -> expands to <nothing>.


So I'd have to rename my server_x home_server stanzas inside realms.conf 
to the realm they serve to make that match, and get my "case 0" out of it.


Real life has the complication though that one such home_server serves 
multiple realms. But the stanza can have only one name. I guess so long 
as stanzas with different names (=matching realms) can exist with the 
same destination server IP inside, that can be done. But then still this 
is not as flexible as realms.conf, e.g. regex realm matches are missing 
etc. (and not having a _pool hurts too)


So, the workaround I referred to earlier, about checking whether suffix 
has already found something and then not going dynamic, is maybe the 
better option after all.


Greetings,


Stefan Winter


On 31.05.22 16:53, Alan DeKok wrote:
> On May 31, 2022, at 10:32 AM, Stefan Winter<stefan.winter at restena.lu>  wrote:
>> that doesn't change anything:
>    Arg.  You should see %{1} getting expanded to something, and then %{home_server_dynamic:something} get expanded to "0" or "1"
>
>    I'll find some more time for testing this.
>
>> Reading this I wonder... how are realms.conf realms / home_server_pool / home_server and home_servers/* meant to co-exist?
>    Dynamic home servers are just home_servers which are loaded while the server is running.
>
>    Any home_server MUST define a unique home server.
>
>    A home_server_pool can only contain static home servers.  Adding / deleting dynamic servers to pools is hard.
>
>    Realms can only point to a static home_server_pool.
>
>    The realm / home_server_pool / home_server name spaces are separate.  So you can use the same name in each one, and they don't conflict.  They also don't have any relationship, so "realm foo" doesn't need to point to "home_server_pool foo"
>
>> Isn't a realms.conf defined realm "education.lu" just as static as one that is defined via home_servers/ ?
>    Dynamic home_servers don't define realms, tho.  They just define home_servers.  You can't dynamically define a "realm".
>
>    The whole "realm" thing is a throwback to 1995 or so, and is in v3 for historical reasons, and for ease of configuration.
>
>> If there is no way to detect that a realm is already handled via normal "suffix" style Proxy-To-Realm, then this would mean one has to choose one or the other way of defining realms?
>    There's only one way to define realms, via a "realm" definition.  That's why the server accepts:
>
>    Proxy-To-Realm = "foo"
>
> 	 proxies to a "realm foo", which in turn points to a home_server_pool, which points to home_server(s)
>
>    Home-Server-Pool = "bar"
>
> 	proxies to "home_server_pool bar", which generally points to home_server(s)
> 	this also doesn't use any "realm" definition
>
>    Home-Server = "bar"
>
> 	proxies to "home_server bar", but doesn't use any fail-over / load-balancing of a "home_server_pool"
>
>> (And how/where/why do I set "dynamic=true" for a given realm/home_server? The setting in proxy.conf is a global setting?)
>    The setting in proxy.conf is whether or nor dynamic home servers are allowed at all.  There's no similar "dynamic = true" in the home servers read from the home_servers/ directory.  That's added automatically.
>
>> FWIW, freshly starting 3.2.0 with my config lists all the realms.conf style realms with radmin:
>>
>>
>> tld2bin #../sbin/radmin -e "show home_server list all"
>>
>> [...]
>>
>> 158.64.1.8      1812    udp     auth+acct       unknown 0       (name=server_158.64.1.8, dynamic=no)
>> 158.64.1.8      1813    udp     acct    unknown 0       (name=server_158.64.1.8, dynamic=no)
>> 158.64.1.43     1812    udp     auth+acct       unknown 0       (name=server_158.64.1.43, dynamic=no)
>> 158.64.1.43     1813    udp     acct    unknown 0       (name=server_158.64.1.43, dynamic=no)
>>
>>
>> So I kind of expected the expansion home_server_dynamic:%{1} to find them as "case 0". Anyway, once it does discovery as above, the new entry is listed, and is considered dynamic, and future expansions go to "case 1":
>>
>> 158.64.1.26     2083    tcp     auth    unknown 0       (name=education.lu, dynamic=yes)
>    That's good.
>
>> Maybe one complication is that the home_servers defined in realms.conf do not have a name that gives away the realm they serve (i.e. server_158.64.1.8 etc.).
>    Yes.  There's no strong tie between home_server and realm.  Because you can have multiple realms use the same home server.  And the same home server can be in multiple home_server_pools.
>
>    Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
>
-- 
This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette

More information about the Freeradius-Users mailing list