On Mon, Oct 02, 2017 at 07:14:53PM +0000, Jeff White wrote:
> That seems to fix the issue. I'm not sure why, but it does. I guess the
> LDAP server could refer to another server or domain by a name not included
> in the cert? Even with logging turned way up I could not find any entry
> that said that though. I may be stuck with using this and other kludge in
> sssd.conf since it doesn't appear to log what actually happened to cause the
> failure.
AD uses referrals quite aggressively and at the same time, the referral
handling in openldap is not super-fast. I don't know exactly why the
referrals would cause a TLS failure, I suspect some of the servers an
entry referred to were simply not reachable from your client.
btw disabling referrals is also suggested in our upstream documentation:
https://docs.pagure.org/SSSD.sssd/users/ldap_with_ad.html
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
