Cool, I'm getting there! Unfortunately and for good reasons the creator of ae-dir.com has restricted modifying access for config (in order to tightly control runtime config state).
So this is how far as I get: ``` [nix-shell] ➜ aedir-ldap.k8s git:(da-openldap-base) ✗ just mprovider SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=config changetype: modify replace: olcTLSCertificateFile olcTLSCertificateFile: /var/run/certs/svid.pem - replace: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /var/run/certs/svid_key.pem
modifying entry "cn=config" ldap_modify: Server is unwilling to perform (53) additional info: operation restricted
command terminated with exit code 53 error: Recipe `mprovider` failed with exit code 5 ```
Furthermore, would this dummy change also reload the certificates that are configured for the syncrepls? See:
``` dn: olcDatabase={2}mdb,cn=config olcSyncrepl: rid=001 provider=ldaps://aedir-0.aedir.aedir-provider.svc.cluster .local bindmethod=sasl timeout=5 network-timeout=5 saslmech=EXTERNAL keepaliv e=240:10:30 starttls=no tls_cert="/var/run/certs/svid.pem" tls_key="/var/run/ certs/svid_key.pem" tls_cacert="/var/run/certs/svid_bundle.pem" tls_reqcert=d emand tls_cipher_suite=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384: ECDH-RSA-AES256-GCM-SHA384:!ADH tls_protocol_min=3.3 tls_crlcheck=none filter ="(objectClass=*)" searchbase="ou=ae-dir" scope=sub attrs="*,+" schemacheckin g=on type=refreshAndPersist retry="30 +" ```
I'm starting to think plain process signalling for reloading the TLS context would actually be a cleaner, more elegant and stable solution. Would you be ok if I opened an issue for that?
On Fri, Aug 21, 2020 at 12:00, Quanah Gibson-Mount quanah@symas.com wrote:
--On Friday, August 21, 2020 2:56 PM -0500 David Arnold <dar@xoe.solutions mailto:dar@xoe.solutions> wrote:
Since the paths don't actually change (and I have no means to make them change), can I do a dummy modification that would trigger cert reloading?
Yeah, just do a replace op, like:
ldapmodify ... dn: cn=config changetype: modify replace: olcTLS.. olcTLS...: original value
For the slapd.conf configuration to enable the cn=config db just have:
database config rootpw somepassword
and then you can bind to it w/ that password. Alternatively, you can set up an authz-regexp, etc.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com http://www.symas.com/>