When you set password cache to false, moving the backend to offine causes CCID auth to fail. This is despite the presence of userCertificate in cache.ldb.
This should not occur - userCertificate should always be cached and available regardless of the state of the password.
sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed
to comment on this ticket.
Copyright © 2014-2018 Red Hat
4.0.4 — Documentation