The client provided a CA cert, which, once put into the keystore, worked consistently in allowing the LDAP Sync to work, including users, groups and memberships. Thanks so much, Paul, for your help in resolving this issue! It is worth mentioning that in the course of troubleshooting this, we also found that the keystore pointed to by ambari-server can only make use of a single cert, and its alias must be 'root'. As well, if your ambari server is running as a user other than root, it must be given permission to read the keystore file (eg if the keystore is created by root user) Thanks again!
... View more