Fix sssd.conf to always have IPA certificate for the domain.ticket-1476

Fixes https://fedorahosted.org/freeipa/ticket/1476 SSSD will need TLS for checking if ipaMigrationEnabled attribute is set Note that SSSD will force StartTLS because the channel is later used for authentication as well if password migration is enabled. Thus set the option unconditionally.
author: Alexander Bokovoy <abokovoy@redhat.com> 2011-07-19 16:07:05 +0300
committer: Alexander Bokovoy <abokovoy@redhat.com> 2011-07-19 16:07:05 +0300
commit: f80ccb1a3c85afd8d5aa03191ef5c323a35293de (patch)
tree: a86a1ec9a24d8946e83d7f807328bb6c810b7f99
parent: c1f5dadc4e9c5ed0c9c1a132c4fe5c66b0244882 (diff)
download: freeipa-ticket-1476.tar.gz
freeipa-ticket-1476.tar.xz
freeipa-ticket-1476.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bfd6..4610583d7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     domain.set_option('cache_credentials', True)
 
+    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+    # Note that SSSD will force StartTLS because the channel is later used for
+    # authentication as well if password migration is enabled. Thus set the option
+    # unconditionally.
+    domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
     if options.dns_updates:
         domain.set_option('ipa_dyndns_update', True)
     if options.krb5_offline_passwords:
author	Alexander Bokovoy <abokovoy@redhat.com>	2011-07-19 16:07:05 +0300
committer	Alexander Bokovoy <abokovoy@redhat.com>	2011-07-19 16:07:05 +0300
commit	f80ccb1a3c85afd8d5aa03191ef5c323a35293de (patch)
tree	a86a1ec9a24d8946e83d7f807328bb6c810b7f99
parent	c1f5dadc4e9c5ed0c9c1a132c4fe5c66b0244882 (diff)
download	freeipa-ticket-1476.tar.gz freeipa-ticket-1476.tar.xz freeipa-ticket-1476.zip