Hi,

I had no Paul's log so I produced my own log.


On 24 Mar 2021, at 18:09, Fabian Mauchle <fabian.mauchle@switch.ch> wrote:

Hi,

On 24.03.21, 08:49, "Fabian Mauchle" <fabian.mauchle@switch.ch> wrote:
   This first request is implicitly placed in the queue for the dynamic server (before the lookupCommand has even been called).

I have to corret myself here. Seems I've misunderstood that code block, and Pauls log (thanks!) clearly shows this. Reading it the right way, it looks quite intentional, not a bug.

The first request is _not_ placed on the dynamic servers queue.

And therefore it doesn’t break the first authentication. It is important to know that no request is lost and the first conversation is 
going via one fallback path and the next request later on via the dynamic path

But anyway we we will run into trouble. dynamic and fallback servers might include different realm blocks. So for dynamic realms which are not configured on the fallback servers the conversation might results in an Access-Reject for the first request and might results in an Access-Accept only in a second request via dynamic. 
This would break the service. 

Best regards,
Ralf

I read that one wrong, it only triggers the dynamic lookup, but the server selection is run again after the new realm structures have been set up. On this second (and any subsequent) passes, the dynamic server is ignored until its connection is established.

On 23.03.21, 13:04, "Paul Dekkers" <paul.dekkers@surf.nl> wrote:
   and whether we can have the dynamic lookup blocking
   for the request?

I will add it as a feature request. However, this might have quite some implications: if the lookup and connection setup is slow, this might block a realm for quite some time.

   That would allow fallback "as documented".

Could you point me to that documentation? (I couldn’t spot it in the manpages; just so I can keep any documentation up to date).

Best regards,
Fabian


_______________________________________________
radsecproxy mailing list -- radsecproxy@lists.nordu.net
To unsubscribe send an email to radsecproxy-leave@lists.nordu.net

-- 
Dipl. Inform. Ralf Paffrath
Phone: Tel.: 030 884299-0 (DFN-GS Berlin: Sekretariat)
Fax: 030 88 42 99 370 | http://www.dfn.de

Verein zur Förderung eines Deutschen Forschungsnetzes e.V.
Alexanderplatz 1, D - 10178 Berlin
Vorstand: Prof. Dr. Odej Kao (Vorsitzender) | Dr. Rainer Bockholt | Christian Zens
Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch
VR AG Charlottenburg 7729NZ | USt.-ID. DE 1366/23822