[RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

Andrew D. Clark adc at umn.edu
Sat Dec 18 10:31:43 CST 2010


 On Saturday, December 18, 2010 03:18:19 am Christian Kratzer wrote:
> Hi,
> 
> On Fri, 17 Dec 2010, Leigh Porter wrote:
> > I tried these methods and none of them really worked effectively against
> > a defective LDAP server. The best solution I found was a decent load
> > balancer with LDAP server availability testing..
> 
> we have a customer setup that successfully uses autby ldap for ha failover
> as folows:
> 
>  	AutbyByPolicy ContinueWhileIngore
>  	AuthBy ldap1
>  	AuthBy ldap2
>  	AuthBy ldap3
> 
> Radiator notices failed ldap servers usually when it gets a socket error
> from a dead server and moves on to the next server.
> 
> I believe there are still situations when the specific request which runs
> into an error situaion is dropped but radius resends should handle those
> cases.
> 
> Greetings
> Christian

Thanks all - I'll list them individually as I'm doing for other round-robin 
hosts.  It isn't the most convenient, but it seems to be the most predictable 
and useful way of doing it when you have one out of three hosts fall out of 
service.  We generally pull a failed host's A record out of the DNS at that 
time as well, but in either case, I'm still sending a HUP to Radiator.  
Putting a load balancer in front of those servers would solve the problem as 
well.

Musings ahead:

What would we all think of something like an MultiHost or RRHost configuration 
parameter that turned a round-robin resource record into multiple Host 
parameters?  That sounds convenient from a configuration perspective but could 
hold surprises when your host order changes.  The same result could be 
realized without any patches by using a pipe to another program in the 
configuration that generated the right stuff.

Going a little farther out on a limb now and into quite a bit more 
programming, perhaps with a RefreshTime parameter (based on the TTL by 
default) that would re-resolve the record perodically?  I can see quite a few 
failure cases that would need to be handled for that sort of thing to be 
robust in the face of DNS failure - and it certainly couldn't be robust in the 
case of DNS operator error.

--
Andrew Clark
 


More information about the radiator mailing list