[RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

Heikki Vatiainen hvn at open.com.au
Fri Dec 17 16:24:52 CST 2010


On 12/17/2010 11:29 PM, Christian Kratzer wrote:

>> one more quick question.  What is the behavior of AuthBy LDAP2 with a
>> round-robin DNS entry (multiple A records for the RR)?  If I'd like
>> failover behavior, will a single Host declaration with a round-robin
>> record be enough, or do I need to list out each individual LDAP
>> server?
> 
> you should explicitly list all servers as Dns will get resolved once
> on load of config.

That is true with e.g. Clients, but from the manual it looks like AuthBy
LDAP2 behaves a bit differently. Quote:

  Multiple space separated host names can be specified
  and Net::LDAP will choose the first available one.

A quick check shows that the host name(s) are passed to Net::LDAP which
takes care of resolving names to addresses. Note also how the doc below
says hosts are tried until there is success.

http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAP.pod#new

Radiator seems to create a new Net::LDAP for each (re)connect so it
might be that DNS is queried when there was a disconnect and a reconnect
needs to be done.

So listing the hosts, like Christian writes, seems to be easier than
trying to follow Net::LDAP's method of resolution.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list