Cool, I'm getting there! Unfortunately and for good reasons the creator of ae-dir.com
has restricted modifying access for config (in order to tightly control runtime config state).

So this is how far as I get:
```
[nix-shell] ➜ aedir-ldap.k8s git:(da-openldap-base) ✗ just mprovider
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /var/run/certs/svid.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /var/run/certs/svid_key.pem

modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
 additional info: operation restricted

command terminated with exit code 53
error: Recipe `mprovider` failed with exit code 5
```

Furthermore, would this dummy change also reload the certificates that are configured for the syncrepls?
See:

```
dn: olcDatabase={2}mdb,cn=config
olcSyncrepl: rid=001 provider=ldaps://aedir-0.aedir.aedir-provider.svc.cluster
 .local bindmethod=sasl timeout=5 network-timeout=5 saslmech=EXTERNAL keepaliv
 e=240:10:30 starttls=no tls_cert="/var/run/certs/svid.pem" tls_key="/var/run/
 certs/svid_key.pem" tls_cacert="/var/run/certs/svid_bundle.pem" tls_reqcert=d
 emand tls_cipher_suite=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
 ECDH-RSA-AES256-GCM-SHA384:!ADH tls_protocol_min=3.3 tls_crlcheck=none filter
 ="(objectClass=*)" searchbase="ou=ae-dir" scope=sub attrs="*,+" schemacheckin
 g=on type=refreshAndPersist retry="30 +"
```

I'm starting to think plain process signalling for reloading the TLS context would actually be a cleaner, more elegant and stable solution.
Would you be ok if I opened an issue for that?


On Fri, Aug 21, 2020 at 12:00, Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Friday, August 21, 2020 2:56 PM -0500 David Arnold <dar@xoe.solutions> wrote:
Since the paths don't actually change (and I have no means to make them change), can I do a dummy modification that would trigger cert reloading?
Yeah, just do a replace op, like: ldapmodify ... dn: cn=config changetype: modify replace: olcTLS.. olcTLS...: original value For the slapd.conf configuration to enable the cn=config db just have: database config rootpw somepassword and then you can bind to it w/ that password. Alternatively, you can set up an authz-regexp, etc. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>