summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2011-07-19 16:07:05 +0300
committerAlexander Bokovoy <abokovoy@redhat.com>2011-07-19 16:07:05 +0300
commitf80ccb1a3c85afd8d5aa03191ef5c323a35293de (patch)
treea86a1ec9a24d8946e83d7f807328bb6c810b7f99
parentc1f5dadc4e9c5ed0c9c1a132c4fe5c66b0244882 (diff)
downloadfreeipa-ticket-1476.zip
freeipa-ticket-1476.tar.gz
freeipa-ticket-1476.tar.xz
Fix sssd.conf to always have IPA certificate for the domain.ticket-1476
Fixes https://fedorahosted.org/freeipa/ticket/1476 SSSD will need TLS for checking if ipaMigrationEnabled attribute is set Note that SSSD will force StartTLS because the channel is later used for authentication as well if password migration is enabled. Thus set the option unconditionally.
-rwxr-xr-xipa-client/ipa-install/ipa-client-install6
1 files changed, 6 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bf..4610583 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
domain.set_option('cache_credentials', True)
+ # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+ # Note that SSSD will force StartTLS because the channel is later used for
+ # authentication as well if password migration is enabled. Thus set the option
+ # unconditionally.
+ domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
if options.dns_updates:
domain.set_option('ipa_dyndns_update', True)
if options.krb5_offline_passwords: