summaryrefslogtreecommitdiffstats
path: root/ipa-client/ipa-install
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2011-07-19 16:07:05 +0300
committerRob Crittenden <rcritten@redhat.com>2011-07-18 19:42:04 -0400
commit1b4aaf5756b490f5cacb89b4010d0d0803bfbf3d (patch)
tree9e1277a817fb8468b5111d4ef9d9d754ff2753c7 /ipa-client/ipa-install
parenta00b03831b6a7ccb87d58c92c1072c586889508e (diff)
downloadfreeipa-1b4aaf5756b490f5cacb89b4010d0d0803bfbf3d.tar.gz
freeipa-1b4aaf5756b490f5cacb89b4010d0d0803bfbf3d.tar.xz
freeipa-1b4aaf5756b490f5cacb89b4010d0d0803bfbf3d.zip
Fix sssd.conf to always have IPA certificate for the domain.
Fixes https://fedorahosted.org/freeipa/ticket/1476 SSSD will need TLS for checking if ipaMigrationEnabled attribute is set Note that SSSD will force StartTLS because the channel is later used for authentication as well if password migration is enabled. Thus set the option unconditionally.
Diffstat (limited to 'ipa-client/ipa-install')
-rwxr-xr-xipa-client/ipa-install/ipa-client-install6
1 files changed, 6 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bfd6..4610583d7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
domain.set_option('cache_credentials', True)
+ # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+ # Note that SSSD will force StartTLS because the channel is later used for
+ # authentication as well if password migration is enabled. Thus set the option
+ # unconditionally.
+ domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
if options.dns_updates:
domain.set_option('ipa_dyndns_update', True)
if options.krb5_offline_passwords: