> >> If the cache is invalid SSS will, obviously, go back to the source and >> return the information there, however, bizarrely, if the original >> source doesn't have the information (like when a user is deleted) the >> cached information is still returned. That cached information is >> retained for ever it seems so my supposedly deleted user accounts still >> appear to be active on the machines. >> > > OK. The underlying problem wasn't specifically the cache. But it > appears that an update to SSSD/LDAP has introduced the "feature" of not > believing self-signed certificates, even if the CA for those > certificates is in place on the host. It used to work, but now doesn't. > > The consequence of this is that the connection to the LDAP server fails > and it falls back to the cache contents, even if the cache is marked > invalid. > > Setting "ldap_tls_reqcert = never" in sssd.conf fixed it - it still > encrypts, but the certificate isn't checked. > > This is not a cue for a diatribe about how self signed certificates are > bad and how easy it is to get a real SSL certificate. There are > reasons. It's just annoying that something that used to work, was a > perfectly correct thing to do, has now been broken. I think I've been hit by a similar problem but in my case it was with using socat OPENSSL-CONNECT. Once the old self signed certificates expired, I recreated them but still, the connection would fail. It did so until I specified "verify=0" to socat OPENSSL-CONNECT and it worked again. Simon