From 1b4aaf5756b490f5cacb89b4010d0d0803bfbf3d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Jul 2011 16:07:05 +0300
Subject: Fix sssd.conf to always have IPA certificate for the domain.

Fixes https://fedorahosted.org/freeipa/ticket/1476

SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
Note that SSSD will force StartTLS because the channel is later used for
authentication as well if password migration is enabled. Thus set the option
unconditionally.
---
 ipa-client/ipa-install/ipa-client-install | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ipa-client/ipa-install/ipa-client-install')

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 07459bfd6..4610583d7 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -550,6 +550,12 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
 
     domain.set_option('cache_credentials', True)
 
+    # SSSD will need TLS for checking if ipaMigrationEnabled attribute is set
+    # Note that SSSD will force StartTLS because the channel is later used for
+    # authentication as well if password migration is enabled. Thus set the option
+    # unconditionally.
+    domain.set_option('ldap_tls_cacert', '/etc/ipa/ca.crt')
+
     if options.dns_updates:
         domain.set_option('ipa_dyndns_update', True)
     if options.krb5_offline_passwords:
-- 
cgit