So your 4 write servers are in mmr. Then you have 2 -> N
as well which scale up and down.
Do you plan to have ldap.example.com
point to the IP's of the
read-onlys directly? Or to a load balancer?
yes, we already got that.
If this was me, just because of the scaling requirements, I would
actually recommend TLS termination on the load balancer, then ldap
plaintext to the 2 -> N consumers (or ldaps to the consumers where
the LB trusts the CA that signed the readonlies. IE:
Client -- TLS connection 1 --> [ LB ] -- TLS Connection 2 -->
TLS connection 1 is presented by the LB, which offers a valid cert/ca
chain. The LB then would re-encrypt but trusting the CA of tls
connection 2 which is a self signed to the read_onlies.
OK, I'll try with this approach.
Another main point here is you'll need to automate that when a
read-only is scaled up (added), you'll need to automate the addition
of the replication agreements to the write servers + conduct a full
reinit on first start.
I'm working on that, as you can see from my previous posts, I'm developing our
custom MMR script to automate everything.
Does that help?
Indeed. Thanks a lot for your time,
-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer
annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir
informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a
terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que
s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu
immediatament a l'adreca electronica de la persona remitent.
-- Abans d'imprimir aquest missatge, pensau si es realment necessari.