Cool, I'm getting there! Unfortunately and for good reasons the creator of ae-dir.com
has restricted modifying access for config (in order to tightly control runtime config state).
So this is how far as I get:
```
[nix-shell] ➜ aedir-ldap.k8s git:(da-openldap-base) ✗ just mprovider
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /var/run/certs/svid.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /var/run/certs/svid_key.pem
modifying entry "cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: operation restricted
command terminated with exit code 53
error: Recipe `mprovider` failed with exit code 5
```
Furthermore, would this dummy change also reload the certificates that are configured for the syncrepls?
See:
```
dn: olcDatabase={2}mdb,cn=config
.local bindmethod=sasl timeout=5 network-timeout=5 saslmech=EXTERNAL keepaliv
e=240:10:30 starttls=no tls_cert="/var/run/certs/svid.pem" tls_key="/var/run/
certs/svid_key.pem" tls_cacert="/var/run/certs/svid_bundle.pem" tls_reqcert=d
emand tls_cipher_suite=ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:
ECDH-RSA-AES256-GCM-SHA384:!ADH tls_protocol_min=3.3 tls_crlcheck=none filter
="(objectClass=*)" searchbase="ou=ae-dir" scope=sub attrs="*,+" schemacheckin
g=on type=refreshAndPersist retry="30 +"
```
I'm starting to think plain process signalling for reloading the TLS context would actually be a cleaner, more elegant and stable solution.
Would you be ok if I opened an issue for that?