'Re: 3.2.0: dynamic_home_servers ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: 3.2.0: dynamic_home_servers ?
From:       Stefan Winter <stefan.winter () restena ! lu>
Date:       2022-05-31 15:17:16
Message-ID: c26356dd-a78d-9d68-54c6-46da8c484fb3 () restena ! lu
[Download RAW message or body]

Okay,


so the whole test

> %{home_server_dynamic:%{1}} |

really means "does a home_server with the stanza name %{1} exist, either 
in the list of home_servers defined in proxy.conf -> expands to 0; or in 
the home_servers/* list -> expands to 1; or nowhere -> expands to <nothing>.


So I'd have to rename my server_x home_server stanzas inside realms.conf 
to the realm they serve to make that match, and get my "case 0" out of it.


Real life has the complication though that one such home_server serves 
multiple realms. But the stanza can have only one name. I guess so long 
as stanzas with different names (=matching realms) can exist with the 
same destination server IP inside, that can be done. But then still this 
is not as flexible as realms.conf, e.g. regex realm matches are missing 
etc. (and not having a _pool hurts too)


So, the workaround I referred to earlier, about checking whether suffix 
has already found something and then not going dynamic, is maybe the 
better option after all.


Greetings,


Stefan Winter


On 31.05.22 16:53, Alan DeKok wrote:
> On May 31, 2022, at 10:32 AM, Stefan Winter<stefan.winter@restena.lu>  wrote:
> > that doesn't change anything:
> Arg.  You should see %{1} getting expanded to something, and then \
> %{home_server_dynamic:something} get expanded to "0" or "1" 
> I'll find some more time for testing this.
> 
> > Reading this I wonder... how are realms.conf realms / home_server_pool / \
> > home_server and home_servers/* meant to co-exist?
> Dynamic home servers are just home_servers which are loaded while the server is \
> running. 
> Any home_server MUST define a unique home server.
> 
> A home_server_pool can only contain static home servers.  Adding / deleting dynamic \
> servers to pools is hard. 
> Realms can only point to a static home_server_pool.
> 
> The realm / home_server_pool / home_server name spaces are separate.  So you can \
> use the same name in each one, and they don't conflict.  They also don't have any \
> relationship, so "realm foo" doesn't need to point to "home_server_pool foo" 
> > Isn't a realms.conf defined realm "education.lu" just as static as one that is \
> > defined via home_servers/ ?
> Dynamic home_servers don't define realms, tho.  They just define home_servers.  You \
> can't dynamically define a "realm". 
> The whole "realm" thing is a throwback to 1995 or so, and is in v3 for historical \
> reasons, and for ease of configuration. 
> > If there is no way to detect that a realm is already handled via normal "suffix" \
> > style Proxy-To-Realm, then this would mean one has to choose one or the other way \
> > of defining realms?
> There's only one way to define realms, via a "realm" definition.  That's why the \
> server accepts: 
> Proxy-To-Realm = "foo"
> 
> 	 proxies to a "realm foo", which in turn points to a home_server_pool, which \
> points to home_server(s) 
> Home-Server-Pool = "bar"
> 
> 	proxies to "home_server_pool bar", which generally points to home_server(s)
> 	this also doesn't use any "realm" definition
> 
> Home-Server = "bar"
> 
> 	proxies to "home_server bar", but doesn't use any fail-over / load-balancing of a \
> "home_server_pool" 
> > (And how/where/why do I set "dynamic=true" for a given realm/home_server? The \
> > setting in proxy.conf is a global setting?)
> The setting in proxy.conf is whether or nor dynamic home servers are allowed at \
> all.  There's no similar "dynamic = true" in the home servers read from the \
> home_servers/ directory.  That's added automatically. 
> > FWIW, freshly starting 3.2.0 with my config lists all the realms.conf style \
> > realms with radmin: 
> > 
> > tld2bin #../sbin/radmin -e "show home_server list all"
> > 
> > [...]
> > 
> > 158.64.1.8      1812    udp     auth+acct       unknown 0       \
> > (name=server_158.64.1.8, dynamic=no) 158.64.1.8      1813    udp     acct    \
> > unknown 0       (name=server_158.64.1.8, dynamic=no) 158.64.1.43     1812    udp  \
> > auth+acct       unknown 0       (name=server_158.64.1.43, dynamic=no) 158.64.1.43 \
> > 1813    udp     acct    unknown 0       (name=server_158.64.1.43, dynamic=no) 
> > 
> > So I kind of expected the expansion home_server_dynamic:%{1} to find them as \
> > "case 0". Anyway, once it does discovery as above, the new entry is listed, and \
> > is considered dynamic, and future expansions go to "case 1": 
> > 158.64.1.26     2083    tcp     auth    unknown 0       (name=education.lu, \
> > dynamic=yes)
> That's good.
> 
> > Maybe one complication is that the home_servers defined in realms.conf do not \
> > have a name that gives away the realm they serve (i.e. server_158.64.1.8 etc.).
> Yes.  There's no strong tie between home_server and realm.  Because you can have \
> multiple realms use the same home server.  And the same home server can be in \
> multiple home_server_pools. 
> Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html
> 
-- 
This email may contain information for limited distribution only, please treat \
accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic