To summarize the result of log-investigation by Sumit and further tests by me:
sssd 1.16 introduced a LDAP-query for a user node with a specific certificate and uses the
certificate as the search filter. This ldap-query is not RFC-compliant, but OpenLDAP is,
so the query fails, if an OpenLDAP server is used as the id provider. It may fail with
other RFC-compliant LDAP-Servers. It won't fail with 389-Server as the schema used by
this server treats the userCertificate as a simple octet-string.
sssd uses the certificate as an octet-string to match, but the correct syntax of the
userCertificate attribute in a user-node is defined in RFC 452 and OpenLDAP delivers a
compliant implementation. Here one cannot search for a certificate by simply giving the
octets of the certificate as the search-filter. One has to extract issuer and
serial-number of the certificate and then search by using a RFC-compliant filter:
(userCertificate;binary = { serialNumber 0x...., issuer='CN=..., O=..., ...' }).
I suggest to introduce a configuration flag rfc452 (or something) for sssd.conf which
should cause sssd to use a RFC-compliant filter.