Do you have load balancers in here at all? Or is it just directly
accessible servers? What does the TLS termination?
yes, we use LB and VIPs to avoid any failure.
If you have load balancers/VIP involved, you should set the
nsslapd-referral to the hostname of the load balancer/VIP, rather
than to individual servers, and all certs must have the SAN for the
LB/VIP in them.
Does that help?
absolutely, thanks for your time.