O sssd do cliente FreeIPA não usa LDAPS

Não importa o que eu tente, não consigo conectar o sssd ao meu servidor ldap / FreeIPA via LDAPS / 636. A verificação da depuração mostra que o sssd está mostrando que deve estar usando 636 ... no entanto, as capturas de pacote e lsof mostram o contrário.

O cliente é RHEL6.4, sssd 1.9.2, ipa-client 3.0.0

snippit dos logs do sssd

(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'resolving name'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in DNS
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'name resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ipaclient01.int.example.net
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [child_sig_handler] (0x0100): child [30466] finished successfully.
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.

do sssd.conf

[domain/int.example.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = int.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.int.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa01.int.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = int.example.net