From f80ccb1a3c85afd8d5aa03191ef5c323a35293de Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Jul 2011 16:07:05 +0300
Subject: Fix sssd.conf to always have IPA certificate for the domain.

Fixes https://fedorahosted.org/freeipa/ticket/1476

SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
Note that SSSD will force StartTLS because the channel is later used for
authentication as well if password migration is enabled. Thus set the option
unconditionally.
---
 ipa-client/ipa-install/ipa-client-install | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bfd6..4610583d7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     domain.set_option('cache_credentials', True)
 
+    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+    # Note that SSSD will force StartTLS because the channel is later used for
+    # authentication as well if password migration is enabled. Thus set the option
+    # unconditionally.
+    domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
     if options.dns_updates:
         domain.set_option('ipa_dyndns_update', True)
     if options.krb5_offline_passwords:
-- 
cgit