[CentOS] SSSD and cache persistence

Wed Aug 8 05:25:01 UTC 2018
Simon Matter <simon.matter at invoca.ch>

>
>> If the cache is invalid SSS will, obviously, go back to the source and
>> return the information there, however, bizarrely, if the original
>> source doesn't have the information (like when a user is deleted) the
>> cached information is still returned. That cached information is
>> retained for ever it seems so my supposedly deleted user accounts still
>> appear to be active on the machines.
>>
>
> OK. The underlying problem wasn't specifically the cache.  But it
> appears that an update to SSSD/LDAP has introduced the "feature" of not
> believing self-signed certificates, even if the CA for those
> certificates is in place on the host. It used to work, but now doesn't.
>
> The consequence of this is that the connection to the LDAP server fails
> and it falls back to the cache contents, even if the cache is marked
> invalid.
>
> Setting "ldap_tls_reqcert = never" in sssd.conf fixed it - it still
> encrypts, but the certificate isn't checked.
>
> This is not a cue for a diatribe about how self signed certificates are
> bad and how easy it is to get a real SSL certificate. There are
> reasons. It's just annoying that something that used to work, was a
> perfectly correct thing to do, has now been broken.

I think I've been hit by a similar problem but in my case it was with
using socat OPENSSL-CONNECT. Once the old self signed certificates
expired, I recreated them but still, the connection would fail. It did so
until I specified "verify=0" to socat OPENSSL-CONNECT and it worked again.

Simon