Thanks, I have stumbled upon a solution yesterday, which was to change the ldap search base to cn=compat,dc=ipa,dc=localdomain (from dc=ipa,dc=localdomain). The curious thing is "dc=ipa,dc=localdomain" as the search base was working before the RHEL8 patch cycle. Wondering if that was a bug that made our lookups work as a fluke, or is it a new thing that cn=compat needs to be explicitly specified?

Thanks!

On Tue, Nov 22, 2022 at 8:08 PM Alexander Bokovoy <abokovoy@redhat.com> wrote:

This looks like you are relying on the compat tree functionality for
represent AD users in the compat tree (cn=compat,$BASEDN). Compat tree
is using SSSD on IPA master to resolve these requests so there should be
traces of those operations, if it succeeded/failed. Raise debug logs in
SSSD to see those.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland