Hi again,
continuing with my automation I'm facing now the problem of SSL configuration.
Using certificates at LB level is not recommended acording to https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html sharing keys is also discouraged, so my question is if there is a way to prepopulate NSS database with a predefined cert to fast deploy an instance.
I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe more). It will be extremely rare to stop or reinstall masters, but with consumers I want the flexibility to create and destroy them at any moment.
Is there any best practice here?
abosch
--
On 23 May 2019, at 04:15, Angel Bosch abosch@ticmallorca.net wrote:
Hi again,
continuing with my automation I'm facing now the problem of SSL configuration.
Using certificates at LB level is not recommended acording to https://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html sharing keys is also discouraged, so my question is if there is a way to prepopulate NSS database with a predefined cert to fast deploy an instance.
I my planned setup I'll have 2 masters and 2 to 10 slaves/consumers (maybe more). It will be extremely rare to stop or reinstall masters, but with consumers I want the flexibility to create and destroy them at any moment.
Is there any best practice here?
I think to answer this, I'd like to see a diagram or description of the network and deployment topology you have in mind to help advise for what you want to achieve here :)
abosch
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
I think to answer this, I'd like to see a diagram or description of the network and deployment topology you have in mind to help advise for what you want to achieve here :)
Is really very simple. Think of it like the typical MMR with 4 nodes:
https://i.imgur.com/DY8aSAo.png
but the number of consumers can go from 2 to N.
all consumers are read only and we have a generic FQDN pointing to them: ldap.example.com
and writable suppliers got their FQDN too: ldapw.example.com
is that enough for you?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari.
On 23 May 2019, at 17:12, Angel Bosch Mora abosch@imasmallorca.net wrote:
I think to answer this, I'd like to see a diagram or description of the network and deployment topology you have in mind to help advise for what you want to achieve here :)
Is really very simple. Think of it like the typical MMR with 4 nodes:
https://i.imgur.com/DY8aSAo.png
but the number of consumers can go from 2 to N.
all consumers are read only and we have a generic FQDN pointing to them: ldap.example.com
and writable suppliers got their FQDN too: ldapw.example.com
is that enough for you?
I think so.
So your 4 write servers are in mmr. Then you have 2 -> N read-onlys as well which scale up and down.
Do you plan to have ldap.example.com point to the IP's of the read-onlys directly? Or to a load balancer?
If this was me, just because of the scaling requirements, I would actually recommend TLS termination on the load balancer, then ldap plaintext to the 2 -> N consumers (or ldaps to the consumers where the LB trusts the CA that signed the readonlies. IE:
Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 --> [READ_ONLIES]
TLS connection 1 is presented by the LB, which offers a valid cert/ca chain. The LB then would re-encrypt but trusting the CA of tls connection 2 which is a self signed to the read_onlies.
Another main point here is you'll need to automate that when a read-only is scaled up (added), you'll need to automate the addition of the replication agreements to the write servers + conduct a full reinit on first start.
Does that help?
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari. _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
— Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server SUSE Labs
So your 4 write servers are in mmr. Then you have 2 -> N read-onlys as well which scale up and down.
Do you plan to have ldap.example.com point to the IP's of the read-onlys directly? Or to a load balancer?
yes, we already got that.
If this was me, just because of the scaling requirements, I would actually recommend TLS termination on the load balancer, then ldap plaintext to the 2 -> N consumers (or ldaps to the consumers where the LB trusts the CA that signed the readonlies. IE:
Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 --> [READ_ONLIES]
TLS connection 1 is presented by the LB, which offers a valid cert/ca chain. The LB then would re-encrypt but trusting the CA of tls connection 2 which is a self signed to the read_onlies.
OK, I'll try with this approach.
Another main point here is you'll need to automate that when a read-only is scaled up (added), you'll need to automate the addition of the replication agreements to the write servers + conduct a full reinit on first start.
I'm working on that, as you can see from my previous posts, I'm developing our custom MMR script to automate everything.
Does that help?
Indeed. Thanks a lot for your time,
abosch
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. -- Abans d'imprimir aquest missatge, pensau si es realment necessari.
389-users@lists.fedoraproject.org