Hi, 

Using openldap-2.4.39.  
Just want to confirm that its normal behaviour for ldapsearch(CLI) to fail on the first attempt and not  to use the next server in URI setting? 
I can see the SSSD handles TLS failure better by querying the next server in the URI. 

Cheers,