Thanks, I have stumbled upon a solution yesterday, which was to change the ldap search base to cn=compat,dc=ipa,dc=localdomain (from dc=ipa,dc=localdomain). The curious thing is "dc=ipa,dc=localdomain" as the search base was working before the RHEL8 patch cycle. Wondering if that was a bug that made our lookups work as a fluke, or is it a new thing that cn=compat needs to be explicitly specified?
Thanks!
This looks like you are relying on the compat tree functionality for
represent AD users in the compat tree (cn=compat,$BASEDN). Compat tree
is using SSSD on IPA master to resolve these requests so there should be
traces of those operations, if it succeeded/failed. Raise debug logs in
SSSD to see those.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland