On Mon, Oct 02, 2017 at 07:14:53PM +0000, Jeff White wrote:
That seems to fix the issue. I'm not sure why, but it does. I
guess the
LDAP server could refer to another server or domain by a name not included
in the cert? Even with logging turned way up I could not find any entry
that said that though. I may be stuck with using this and other kludge in
sssd.conf since it doesn't appear to log what actually happened to cause the
failure.
AD uses referrals quite aggressively and at the same time, the referral
handling in openldap is not super-fast. I don't know exactly why the
referrals would cause a TLS failure, I suspect some of the servers an
entry referred to were simply not reachable from your client.
btw disabling referrals is also suggested in our upstream documentation:
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html