Did you actually add an authz-regexp to your config that maps this DN to the cn=config rootdn? Otherwise I'd expect it to fail. Not sure this is really an AEDir thing.

Yep, double checked.
globally, I'm impersonating root:

```
# Map root user to rootdn when SASL/EXTERNAL is used with LDAPI authz-regexp "gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=root,ou=ae-dir"
```

and config is really put readonly

```
database config

require strong

# yes, really read-only!
readonly on
restrict write

access to
  dn.subtree="cn=config"
  attrs=entry,objectClass,olcServerID,olcSaslHost
    by dn.onelevel="cn=ae,ou=ae-dir" read
    by group/aeGroup/member="cn=ae-login-proxies,cn=ae,ou=ae-dir" read
    by * none break

access to
  dn.subtree="cn=config"
    by dn.exact="cn=root,ou=ae-dir" read
    by group/aeGroup/member="cn=ae-admins,cn=ae,ou=ae-dir" read
    by group/aeGroup/member="cn=ae-auditors,cn=ae,ou=ae-dir" read
    by * none
```

Since I'm probably going to write a controller which joins syncrepls one the fly anyways, I need to deviate from this.

However, for realoding rolled certs this is a bit unfortunante. Alternatively, would it be possible rather than using
a SIGNAL to gracefully fall back to reload the TLS context once if the current certs appear expired?

I predict I'm not gonna be the last person with this issue...

Best Regards,
David A.

On Fri, Aug 21, 2020 at 15:36, Quanah Gibson-Mount <quanah@symas.com> wrote:
--On Friday, August 21, 2020 5:53 PM -0500 David Arnold <dar@xoe.solutions> wrote:
Cool, I'm getting there! Unfortunately and for good reasons the creator of ae-dir.com has restricted modifying access for config (in order to tightly control runtime config state).
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Did you actually add an authz-regexp to your config that maps this DN to the cn=config rootdn? Otherwise I'd expect it to fail. Not sure this is really an AEDir thing.
Furthermore, would this dummy change also reload the certificates that are configured for the syncrepls?
No, you'd need to do a replace op on the olcSyncrepl attribute for that database as well. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>