> Alan DeKok wrote: > Scott McLane Gardner wrote: > > So, now I'm confused again. If this doesn¹t load balance, then how should > > I really be going about this? > > It's hard.
Actually, on some further reading, it might not be: the LDAP library/DNS may take care of this instead of requiring special attention on the FreeRADIUS end. Firstly, for redundancy (and I tested this and it seems to work) ldap_init allows a space separated list of hostnames which will be tried in order. FreeRADIUS just passes this string through and the LDAP libraries seem to be happy about that. The only rough edge is, cosmetically, the debug log statement appends ":<port>" which ends up looking like the port designation belongs just to the last host. There might also be trouble between FreeRADIUS config syntax (with separate port) and the fact that the LDAP libraries also allow ":<port>" appendixes on each of the space-separated hostnames; that I did not test. For load-balancing (this I have not tested) a round-robin DNS for the LDAP servername may result in connections load balancing. Really this depends on the DNS caching behavior inside the LDAP library and on the host OS, but my impression is that by and large LDAP libraries treat DNS lookups sanely as a volatile item that needs to be re-loaded on re-use (there are Mozilla tickets wrestling with this for their LDAP re-implementation some years back, so even that lib might be OK.) At worst FreeRADIUS might need to add some fuzzing/connection-limits so that connections are regularly torn down and re-established, but not all at once, to force multiple DNS lookups when the server is started/hupped. If someone needs finer grained balancing, perhaps randomizing the connection pool selection may be needed. Also not tested is the space-separated multi-url form that goes through ldap_initialize instead of ldap_init, but openldap docs say that is supported as well. So if that works, the only reason someone would still need to do r-l-m tricks is if they need to validate TLS certs and the LDAP servers are not presenting the round-robin name and cannot be fixed to do so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
