Did you actually add an authz-regexp to your config that maps this DN to the cn=config rootdn? Otherwise I'd expect it to fail. Not sure this is really an AEDir thing.
Yep, double checked.
globally, I'm impersonating root:
```
# Map root user to rootdn when SASL/EXTERNAL is used with LDAPI
authz-regexp
"gidnumber=0\\+uidnumber=0,cn=peercred,cn=external,cn=auth"
"cn=root,ou=ae-dir"
```
and config is really put readonly
```
database config
require strong
# yes, really read-only!
readonly on
restrict write
access to
dn.subtree="cn=config"
attrs=entry,objectClass,olcServerID,olcSaslHost
by dn.onelevel="cn=ae,ou=ae-dir" read
by group/aeGroup/member="cn=ae-login-proxies,cn=ae,ou=ae-dir" read
by * none break
access to
dn.subtree="cn=config"
by dn.exact="cn=root,ou=ae-dir" read
by group/aeGroup/member="cn=ae-admins,cn=ae,ou=ae-dir" read
by group/aeGroup/member="cn=ae-auditors,cn=ae,ou=ae-dir" read
by * none
```
Since I'm probably going to write a controller which joins syncrepls one the fly anyways, I need to deviate from this.
However, for realoding rolled certs this is a bit unfortunante. Alternatively, would it be possible rather than using
a SIGNAL to gracefully fall back to reload the TLS context once if the current certs appear expired?
I predict I'm not gonna be the last person with this issue...
Best Regards,
David A.