The LDAP DNS cache only caches resolved addresses from SRV records, not A records. If the IP addresses presented in A records are cached and connected to directly, TLS may fail as the remote host's certificate's subject will often correspond to the domain and not specify the resolved IP address, resulting in subject name mismatch.

However, mongoldap can provide the output of the DNS lookup and provide a connectivity test to each of those resolved records, even for A records. It can also make a best-effort attempt at TLS connections and potentially swallow subject name mismatch errors if the presented certificate's subject matches the domain corresponding to the IP address.