I can see how ramping up diagnosis capabilities on a running piece of software is an outstanding feature, that unfortunately not a lot programs have out there.

My mental model of gitops certainly doesn't aim at blocking diagnostic capabilities, it does however seek to keep critical knobs under a general, unified and well established approval and auditing process across the entire system components zoo.

> I suggest writing an overlay for this, whose only function is to schedule a periodic task that does all of the
refreshing you want to have happen.

I understand why signalling is not considered a valid solution. In fact it's not the cleanest one. Given the security aware user base of OpenLDAP, I'd predic that a generic solution to certificate rolling will spark some interest.

Times where such a roll is done once in a few years are fading. In my case, the default with spiffe is every 5 minutes, but short lived certificates are a general trend in software.

Wouldn't we be able to conceive an acceptable patch that doesn't introduce (too much) runtime penalties which gracefully reloads TLS context on expiry exactly once? 

Assuming that the proclaimed trend towards short lived certificates pervails, such patch adds value to OpenLDAP's user community as it - by default - lowers the barrier to adoption of more secure practices.

Best Regards,
David A.

El sábado, 22 de agosto de 2020, Howard Chu <hyc@symas.com> escribió:
David Arnold wrote:
> However, for realoding rolled certs this is a bit unfortunante. Alternatively, would it be possible rather than using
> a SIGNAL to gracefully fall back to reload the TLS context once if the current certs appear expired?
>
> I predict I'm not gonna be the last person with this issue...

I suggest writing an overlay for this, whose only function is to schedule a periodic task that does all of the
refreshing you want to have happen.
>
> Best Regards,
> David A.
>
> On Fri, Aug 21, 2020 at 15:36, Quanah Gibson-Mount <quanah@symas.com> wrote:
>> --On Friday, August 21, 2020 5:53 PM -0500 David Arnold <dar@xoe.solutions <mailto:dar@xoe.solutions>> wrote:
>>
>>     Cool, I'm getting there! Unfortunately and for good reasons the creator of ae-dir.com has restricted modifying access for config (in order to tightly
>>     control runtime config state).
>>
>>     SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>>
>> Did you actually add an authz-regexp to your config that maps this DN to the cn=config rootdn? Otherwise I'd expect it to fail. Not sure this is really an
>> AEDir thing.
>>
>>     Furthermore, would this dummy change also reload the certificates that are configured for the syncrepls?
>>
>> No, you'd need to do a replace op on the olcSyncrepl attribute for that database as well. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas
>> Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/