[CentOS] SSSD and cache persistence

Tue Aug 7 08:04:50 UTC 2018
Pete Biggs <pete at biggs.org.uk>

> If the cache is invalid SSS will, obviously, go back to the source and
> return the information there, however, bizarrely, if the original
> source doesn't have the information (like when a user is deleted) the
> cached information is still returned. That cached information is
> retained for ever it seems so my supposedly deleted user accounts still
> appear to be active on the machines.

OK. The underlying problem wasn't specifically the cache.  But it
appears that an update to SSSD/LDAP has introduced the "feature" of not
believing self-signed certificates, even if the CA for those
certificates is in place on the host. It used to work, but now doesn't.

The consequence of this is that the connection to the LDAP server fails
and it falls back to the cache contents, even if the cache is marked

Setting "ldap_tls_reqcert = never" in sssd.conf fixed it - it still
encrypts, but the certificate isn't checked.

This is not a cue for a diatribe about how self signed certificates are
bad and how easy it is to get a real SSL certificate. There are
reasons. It's just annoying that something that used to work, was a
perfectly correct thing to do, has now been broken.